
Does Security Awareness Training Even Work? Fixing the Flaws Behind “Training Fails” Headlines
From All Things Human Risk Management by Hoxhunt
November 16, 2025 · 38 min
About this episode
The episode discusses the effectiveness of security awareness training and explores the flaws in traditional compliance-driven programs.
Episode #9 “Security awareness training doesn’t work” makes for a punchy headline. But is the problem training itself - or the way most organizations still run compliance-driven, once-a-year programs? In this episode, host Eliot Baker sits down with global security awareness leader David Badanes to dissect the latest “training fails” narratives (especially the UC San Diego study amplified by the Wall Street Journal) and contrast them with what actually works in high-performing human risk programs. They break down the three failure modes of legacy awareness (content, cadence, culture), show how to rebuild around behaviour change and reporting, and give you language to push back when executives show up with the latest “training doesn’t work” article in hand. What you’ll learn in this episode: The three failure modes of legacy awareness programs: broken content, broken cadence, and broken culture. Why annual modules and quarterly cookie-cutter phishing tests create “security tourism,” not real habit change. How to rebuild around role-based, adaptive, micro-learning paths that challenge people at the right level. Where gamification, rewards, and opt-in “spicy mode” simulations help…
People in this episode
Host: Eliot Baker
Guest: David Badanes
Topics covered
- security awareness training
- human risk management
- organizational compliance
- behavior change
Keywords
- training fails
- legacy awareness
- gamification
- micro-learning
Mentioned in this episode
Products: Teams, Slack, WhatsApp
More episodes of All Things Human Risk Management
- Your Security Awareness Program Has Plateaued - What Happens Next? · March 12, 2026 · 1h 2m
- The Ethical Guide to Security Storytelling: Navigating Real Breaches with Care and Respect · February 2, 2026 · 34 min
- The Attacks Getting Through Your Filters (and How AI Is Scaling Social Engineering) · December 22, 2025 · 38 min
- State of Phishing 2025: Why SVGs Spiked (and What Still Works) · October 30, 2025 · 46 min
- A CISO’s Playbook for Security Comms (with Jeffrey Brown) · October 14, 2025 · 53 min
- Virtual Kidnaps, Fake CFOs: Social Engineering Defense in the Age of AI · September 18, 2025 · 38 min
Explore listener stats, chart rankings, contacts and more on the All Things Human Risk Management podcast page.