Fear and Silence: Half of Employees Afraid to Report Security Mistakes


Fear and Silence



Despite the increased adoption of security awareness training, our latest research reveals that more than half of cybersecurity professionals share concerns over security behaviours.


The Alarming Findings

We conducted a recent survey that shed light on attitudes towards security awareness training. Respondents were asked about the security behaviours that caused the most concern in their organisations. The top issues identified were:

  • Clicking on links in emails (53%)
  • Sharing corporate data outside of the business (53%)
  • Sharing of usernames and passwords (51%)

The study also highlighted that a quarter of cybersecurity professionals doubt their colleagues change their behaviour with current security awareness training. Alarmingly, 60% admitted they only receive training once every few months or even just once a year. As threats grow more sophisticated and frequent, it’s essential to provide regular and consistent training to stay effective. If training doesn’t keep up with the latest threats, organisations will be left vulnerable and stuck in the past.


The Importance of Timely Training

ThinkCyber’s CEO, Tim Ward, emphasises the importance of delivering security awareness training in the moment when it can be directly contextualised by the recipient.

"This approach not only enhances comprehension by linking awareness to an immediate and relevant situation but also serves as a proactive nudge towards safe behaviour, By intervening at the precise moment when a risky action is about to be taken, individuals are more likely to understand the specific dangers and consequences associated with their actions. This timely intervention ensures that the lesson is not abstract or theoretical but grounded in a real-world context, making it more impactful.”


Measuring and Tracking Progress

Organisations must measure and track the progress of their security awareness programmes to determine effectiveness and make necessary changes. When respondents were asked whether their business could identify the user groups carrying out concerning behaviours, almost half (49%) said they did not for all behaviours causing concern.

Other key findings from the survey included:

  • 42% of respondents felt that their organisation could not even somewhat prove whether their current security awareness training is changing risky behaviours.
  • Half of respondents said they would not feel free from repercussions if they reported a mistake within their organisation.
  • 51% of respondents believed that most people across the business were focused on security, whereas 39% felt only the executives and security teams were focused on it.


Time to Re-evaluate

When numerous security experts confess that their organisation’s security awareness training isn’t cutting it, it’s a huge red flag that something’s amiss and it’s time to re-evaluate.

"Cybersecurity should be a concern for everyone, so pinpointing which user groups need extra help with safe practices is crucial for any business. A training programme that’s flexible and enjoyable can make all the difference, boosting staff engagement and giving cyber professionals greater confidence in their team’s ability to make smart security decisions.”

Tim Ward, CEO & Co-Founder, Think Cyber Security ltd


Top 3 Ways to Make Security Awareness Training Work

  1. Deliver ongoing training: Annual training isn’t enough. Security awareness training should be provided to employees regularly to maintain awareness and keep employees up to date with the latest cybersecurity threats.
  2. Drip-feed content: When respondents were asked how they like to receive security awareness training, 70% said they want to keep their knowledge fresh and that little and often works for them. Delivering the content of your security awareness programme in small, bite-size segments helps to maximise engagement and reinforce ongoing awareness and learning outcomes.
  3. Measure engagement levels and progress: Measure behavioural impact and engagement. Measuring engagement levels indicates progress, but behavioural impact shows the programme's effectiveness in reducing risk and highlighting user groups that display risky behaviour.



Independent researchers on behalf of ThinkCyber surveyed 163 cybersecurity professionals, including CISOs/CIOs, Senior Cybersecurity Managers, and IT decision-makers, at Infosecurity Europe, held in London between June 4th and 6th, 2024.


If you’d like to know more about how Redflags® addresses these challenges, visit thinkcyber.co.uk or get in touch.


Recent Posts