Your Security Awareness Program Has Plateaued - What Happens Next?

In this episode of All Things Human Risk Management, host Eliot Baker is joined by Anthony Davis to explore a challenge many awareness teams eventually face: what happens when your security awareness program stops improving.

Completion rates look good. Phishing simulations stabilize. Leadership is satisfied with the numbers. But behavior isn’t actually changing.

This conversation breaks down why awareness programs plateau, how to recognize the signals early, and what awareness leaders can do to restart momentum. From engagement strategies to behavioral nudges and real-world storytelling, Eliot and Ant unpack how programs can move beyond compliance-driven training toward genuine human risk reduction.

‍

Why security awareness programs plateau

Most programs don’t fail dramatically - they stall quietly. Metrics flatten out, engagement slows, and conversations about security become less frequent. Teams keep delivering the same training and simulations, but the impact stops growing.

“Momentum is a big thing. When things slow down, you can feel it.”

‍

Completion rates don’t equal behavior change

High training completion rates often create a false sense of success. Employees may complete mandatory training simply because they have to, not because it changes how they behave.

If the only success metric is completion, programs risk becoming compliance exercises instead of behavior-change initiatives.

“If you’re only measuring completion rates, you’re measuring compliance, not security.”

‍

Why annual training rarely changes behavior

Mandatory annual training can feel disconnected from employees’ daily work. People complete it once a year and quickly forget what they learned.

Behavior change requires continuous reinforcement, not a single yearly intervention.

“Annual training is a moment. Behavior change requires a heartbeat.”

‍

Engagement is a marketing problem

Security awareness teams often behave like educators, but their role is closer to marketing.

Employees must be persuaded to care about security. That requires storytelling, relatable messaging, and communication strategies that resonate with real people.

“We’re the sales and marketing team for secure behaviors.”

‍

Two-way engagement matters more than broadcast messaging

Traditional awareness programs broadcast messages outward. But the most effective programs listen as well.

Conversations on Slack, feedback from champions networks, and informal discussions reveal how employees actually think about security.

“Talking with employees tells you more than talking at them.”

‍

Behavior change happens through nudges, not lectures

Behavioral science principles like nudge theory play a key role in effective awareness programs.

Immediate feedback after a security action (such as reporting a phishing email) reinforces learning far more effectively than delayed responses or static training modules.

“Learning works best when the action and feedback happen together.”

‍

Security controls should meet employees where they work

Workplaces are changing. Some teams live in Slack or Teams rather than email.

Security awareness programs need to adapt to the environments employees actually use.

“You have to simulate the risks people really face, not the ones you assume they face.”

‍

Policy doesn’t change behavior... real-time guidance does

Policies describe ideal behavior but rarely influence daily actions.

Just-in-time guidance and contextual prompts help employees learn while they’re performing tasks.

“It’s like a lane departure warning in a car -the nudge happens exactly when you need it.”

‍

Storytelling is one of the most powerful awareness tools

Personal stories create emotional connection and make risks relatable.

Employees remember narratives about real incidents far more than abstract warnings or technical explanations.

“People remember stories. They don’t remember policy documents.”

‍

Small signals can reveal big behavior changes

Some of the strongest indicators of success are informal signals.

When employees talk about security in Slack channels, mention campaigns in meetings, or share how they changed a behavior, it shows the program is influencing culture.

“Sometimes the biggest signal is someone telling you they changed what they do.”

‍

Disruption can re-energize a stagnant program

Standing out matters.

Whether through humor, visual branding, mascots, or creative campaigns, awareness teams sometimes need to disrupt expectations to regain attention.

“Sometimes you have to stand out from the noise.”

‍

Negative feedback can still be engagement

Not everyone will love a campaign and that’s okay.

If employees are discussing phishing simulations or security messaging, awareness is increasing even when feedback is critical.

“If people are talking about phishing, they’re thinking about phishing.”

‍

SOC collaboration unlocks real insights

Security operations teams see real attack patterns every day.

By collaborating with SOC analysts, awareness teams can identify new attack trends and turn them into timely training and storytelling opportunities.

“If something makes the SOC team say ‘that’s interesting,’ it’s probably worth turning into awareness.”

‍

Reporting behavior is the strongest awareness metric

Reporting suspicious emails and threats is one of the clearest signals of an engaged security culture.

Unlike training completion metrics, reporting reflects real behavior under real conditions.

“Reporting is one of the most powerful signals that awareness is working.”

‍

Security awareness is a life skill, not just corporate training

Cybersecurity doesn’t stop at the office.

When employees learn secure behaviors at work, they apply them at home - protecting their families, finances, and personal data.

“This isn’t just corporate compliance. It’s a life skill.”

‍

Takeaways you can apply now

• Recognize plateau signals early: flat metrics, declining engagement, and fewer security conversations.
• Measure behaviors, not just training completion.
• Use nudges and real-time feedback to reinforce secure actions.
• Create two-way engagement through storytelling, champions networks, and conversations.
• Collaborate with SOC teams to connect awareness with real threats.
• Disrupt your messaging when engagement stagnates.
• Focus on reporting behavior as a key indicator of security culture.
• Treat security awareness as a continuous program, not a once-a-year training event.

Eliot:

Today we're talking about something most security awareness teams quietly worry about: what happens when your program plateaus.

You've got solid completion rates. People know the basics. The phishing numbers aren’t disastrous, but they’re not really improving either. Engagement feels flat. Reporting stalls.

Leadership starts asking: are we actually getting real behavior change?

To help unpack this, Anthony Davis is joining me. Ant spent more than a decade leading awareness and engagement inside some of the UK's largest retailers. Today he focuses on developing the people behind awareness programs — building a community and academy for practitioners who want to move beyond compliance and into real behavior change.

Today we’re turning that experience into a practical playbook: how to diagnose a plateau, what actually moves behavior in large organizations, and what you should change right now if things feel stuck.

So Ant, great to have you here. Maybe you could introduce yourself.

Anthony:

Hi Eliot, thanks for having me.

I’ve worked in security awareness for about twelve or thirteen years. I’ve built programs from scratch and also joined organizations with established programs. I’ve worked in places where I had complete freedom to experiment, and others where there was very little freedom.

So it’s never been dull.

Today I focus on helping awareness professionals do better. Many of us face the same challenges and risks, but we often work in silos. I’m passionate about bringing practitioners together so we can share knowledge and help each other.

Eliot:

Your passion for the subject really shines through your work. Let’s dive in by defining the plateau.

When you say a security awareness program has plateaued, what do you mean? What signals tell you things have stalled?

Anthony:

For me it’s when things start to feel stale.

Metrics flatten out. Reporting rates stop improving or maybe decline slightly. Conversations around security aren’t happening as much as they used to. Engagement slows down.

It could be that training completion becomes harder to maintain. Maybe last year you invested a lot of effort into launching training, but this year you’re delivering the same training again.

Momentum disappears.

Momentum is a big thing. When things slow down you can feel it. People aren’t as excited as they once were.

Meanwhile attackers haven’t slowed down at all. They’re still knocking on the door trying to get in. So it’s really important to identify when your program has plateaued and address it.

Eliot:

How long do you let flat metrics continue before you intervene?

Anthony:

You don’t want to react too quickly because there could be other factors at play in the business.

Maybe there are big projects underway. Maybe focus has shifted temporarily.

So it’s important to ask why the metrics are flat before reacting.

But if three months go by and I’m not seeing any movement at all, I’d start asking serious questions.

Because the longer you wait, the harder it becomes to rebuild momentum.

Eliot:

Sometimes organizations come to us after a year or more of stagnant engagement metrics.

If phishing reporting rates and simulated click rates haven’t meaningfully shifted in twelve months, what’s your default assumption?

Is it a content problem, a culture problem, or a systems problem?

Anthony:

Usually it’s a combination of all three.

Culture plays a role. Content plays a role. Systems play a role.

One of the first things I look at is how frequently the awareness team engages with employees.

Some programs only connect with employees once a year for mandatory training and maybe through phishing simulations.

But employees need regular engagement. They need to know the security team exists.

Is your content engaging? Is it relevant? Do employees actually like it?

Have you asked them?

Or are you just making assumptions and pushing out content because you think it should work?

Then there’s culture.

Some organizations treat cybersecurity purely as a compliance requirement. If the auditors are satisfied, leadership assumes everything is fine.

But that doesn’t necessarily mean the organization is secure.

Instead of trying to create a completely new culture, I think awareness teams should understand the culture that already exists and align their messaging with it.

Every organization is unique.

Eliot:

I like that answer a lot. And you mentioned engagement with users.

Often awareness programs are very one-directional. We push information out and hope people absorb it.

But you talked about two-way engagement.

What does that look like in practice?

Anthony:

Engagement is incredibly powerful.

One way I’ve described my role before is as the sales and marketing team for secure behaviors.

We want people to buy into the idea of being secure. We want them to believe in the message we’re putting out there.

So we should think like marketers.

Gamification helps. Curiosity helps. Storytelling helps.

In one organization I ran a biweekly newsletter for eight years. It connected security topics to things happening in the news, in people’s home lives, and at work.

People started discussing those newsletters on Slack and Teams.

Those conversations created engagement.

Another powerful tool is a champions network.

Champions are like internal influencers. They repeat your security messages in their own teams and help spread them through the organization.

And when conversations happen naturally, you gain visibility into the challenges employees are actually facing.

If you’re only talking at employees once a year through training or phishing simulations, you’ll never see that.

Eliot:

That’s really powerful.

Let’s talk about behavioral science.

Which behavioral principles have you seen reliably change behavior at scale?

Anthony:

One big concept is nudge theory.

Give feedback immediately after someone performs a security action.

For example, if someone reports a phishing email, give them quick feedback. Tell them whether it was malicious or safe and thank them.

That reinforcement matters.

If the response comes a day or two later, they won’t remember the email they reported.

Just-in-time learning works because the action and the feedback happen close together.

Eliot:

What have you seen change as a result when programs implement these behavioral nudges?

Anthony:

One example is document sharing behavior.

Policies often describe how people should behave, but policies rarely reflect real workflows.

Just-in-time nudges help people learn in the moment they’re performing an action.

It’s a bit like lane departure warnings in cars.

At first they’re annoying. But eventually they change how you drive.

Behavior changes through small nudges repeated over time.

Eliot:

That’s a great analogy.

Let’s shift to training.

When training stops moving the needle, what’s the biggest design mistake causing programs to stall?

Anthony:

The biggest issue is mandatory training.

As soon as you say something is mandatory training, people disengage.

They’re busy. They have their own responsibilities.

Training becomes something they have to get through rather than something they want to learn from.

Annual training especially rarely drives behavior change.

Most people forget the content within weeks.

That’s why you need a steady heartbeat of communication throughout the year.

Eliot:

So is annual security awareness training fundamentally flawed?

Anthony:

In my opinion, annual training alone will never change behavior.

But it can still serve a purpose.

It can be used as a disruptive moment to build your internal brand.

In one organization we created animated training with characters and storytelling. People talked about it.

We even introduced a puppet mascot called George.

One person complained that we were treating employees like children.

But everyone else loved it.

George became the mascot of the entire security program.

Sometimes you need to stand out from the crowd and break the pattern of boring corporate training.

Eliot:

That’s fantastic.

When you create something memorable like that, do you actually see new people engaging with security?

Anthony:

Yes, absolutely.

Completion rates increased dramatically. People discussed the training on Slack. It was mentioned in town halls.

That kind of engagement never happened before.

Sometimes a small disruptive idea can make a huge difference.

Eliot:

Let’s talk about metrics.

If completion rates are high but behavior isn’t changing, what does that tell you?

Anthony:

It tells me the program is compliance-focused.

Completion metrics alone don’t prove behavior change.

Instead you should measure behaviors.

Are more phishing emails being reported?

Are people talking about security?

Are risky behaviors decreasing?

Work closely with your SOC or security operations team.

Ask them what trends they’re seeing.

Those insights tell you whether behavior is actually changing.

Eliot:

What about real threat reporting?

Anthony:

That’s incredibly valuable.

In one organization we didn’t measure reporting properly, and I regret that.

Reporting is one of the strongest indicators of engagement.

I also used to ask SOC analysts to flag anything that made them say “that’s interesting.”

Those real attacks became powerful stories we could share with employees.

And storytelling makes threats relatable.

Eliot:

We’re coming toward the end of our time.

What’s one action every listener should take right now if their program has plateaued?

Anthony:

Do something that stands out.

Be disruptive.

Change the design of a campaign. Use humor. Launch something unexpected.

You don’t need a big budget.

Sometimes it’s better to ask forgiveness rather than permission.

But do something that gets people’s attention.

Because attention is where behavior change begins.

Eliot:

That’s a great message to end on.

Thanks so much for joining us today.

Anthony:

Thanks for having me.

‍