Menu
By Cian Fitzpatrick | 15th September 2025
Every year, organisations spend an absolute fortune on cybersecurity awareness training. Figures show that in 2023, $5.6 billion was spent globally to upskill people in cybersecurity. And this spend is only growing. By 2027, projections forecast that $10 billion will be spent in this space.Â
Taking into account the volume of financial resources being spent here, it’s natural to assume that cyber incidents are on the wane.
 Yet, reality tells a different story. Attacks are increasing in both volume and impact. And employees continue to fall victim to phishing and other forms of social engineering.
The uncomfortable truth we have to face is that traditional awareness training is broken.
Most organisations include phishing prevention in their security programmes. Pew Research estimates this number to be as high as 95% according to one study. However, regardless of this massive investment in training, phishing remains one of the most successful attack methods. The big reason for phishing’s success is that it targets human psychology.
We think phishing is a technology problem, but we’re wrong to do so. A convincing phishing email doesn’t break into your system by exploiting a software flaw. Instead, it works by exploiting human instincts. Attackers prey on our tendency to trust, to react quickly and to choose the easiest option.
Furthermore, most awareness training is designed to transfer information, not change behaviour. Employees may well know the “rules,” and even intend to stick to them. But however, when you put them under pressure, they revert to habits of speed and convenience. Security awareness does not automatically translate into secure behaviour.
Current approaches to awareness training share common flaws:
Â
Â
Meanwhile, attackers understand human behaviour better than many security teams do. They know that moments of change, such as mergers, system updates and role transitions are when people are most vulnerable. These are the exact moments traditional training fails to prepare them for.
To understand nudge theory, use your imagination for a moment. Picture your colleague hovering over a link that doesn’t look quite right. Their finger is just about to click when you lean in and say, “Hold on, don’t do that.” You’ve just saved them from a mistake and your organisation from possibly catastrophic consequences. Now imagine that same moment repeating itself, over and over. Every time someone plugs in a dodgy USB, tries to upload sensitive data, or begins typing a password into a suspicious site, the warning comes just in time.
That’s the power of nudge theory in cybersecurity: timely, contextual interventions that gently steer people towards safer choices without forcing them.
Coined by Richard Thaler and Cass Sunstein, nudge theory shows how choice architecture (a term coined to describe how people make decisions), can dramatically influence behaviour. For example, in everyday life this could mean placing fruit at eye level in a cafeteria to encourage healthier eating. In cybersecurity, it means embedding nudges at the point of risk.
Research shows that only 5% of our decisions are deliberate. To make the rest of our decision, we rely on shortcuts, heuristics and biases. Cyber attackers exploit this automatic thinking. But cybersecurity awareness training can design nudges that align with how people actually behave.
Effective nudges are:
Â
Â
Â
Traditional training is often infrequent, passive and disengaging. On the other hand, nudge-based training creates a low-friction, ongoing layer of support. This requires little management overhead, and has been proven to continuously reduce risky behaviour. This is something static, once-a-year training simply cannot achieve.
Businesses need to look reality square in the eye and stop treating awareness as a box to tick. Yes, you’re keeping your compliance requirements up-to-date with the current status quo. However, you’re not impacting your team members to make a positive change in keeping your organisation safe. Therefore, you have to start treating awareness training as a human challenge. That means moving from static, compliance-driven training to continuous, behaviour-focused support.
Practical steps include:
Cybersecurity training isn’t failing because people don’t care. It’s failing because it doesn’t align with how people actually think and behave. Attackers are genius masterminds in knowing how to exploit human psychology.
By combining behavioural science with security, organisations can build a culture where awareness evolves into action.
Ready to take your security training beyond box-ticking? At Topsec Cloud Solutions, we help organisations transform awareness into real behaviour change with smarter, human-centred security. Get in touch with our team today to see how timely, contextual nudges can strengthen your people and protect your business.
