As a former teacher, I learned something that has translated well into security awareness training. If students aren’t learning, it’s not because they don’t care. It’s because:
MSPs often come to the same conclusion — employees simply don’t care. In most cases, however, that’s not actually true.
The issue isn’t a lack of motivation on your clients’ part, it’s a lack of effective learning.
Let’s look at how cybersecurity awareness training is typically delivered:
Phishing simulations are treated like tests. If a user clicks, it’s a failure. Maybe they get assigned more training, but the focus stays on the mistake, not the learning.
That’s not how people learn. In any real learning environment, people need:
They need space to practice, make mistakes, and improve, but instead, security awareness training expects immediate success without providing the conditions for it. Training isn’t improving behavior because we’re setting users up for failure.
So, how do we set them up for success?
If cybersecurity awareness training doesn’t feel relevant to the user’s day-to-day work, it won’t be successful. With most training, the content feels generic, abstract, and disconnected from real situations. When that happens, users disengage. For learning to be effective, it needs to feel applicable.
Users are far more likely to retain information when they can see how it relates to their role. Making a significant difference requires sending realistic phishing simulations, explaining how attacks affect similar organizations, and connecting training to scenarios users would actually find themselves in. When users understand why something matters to them, they are more likely to pay attention. When they pay attention, behavior begins to change.
Does clicking a phishing simulation at your organization feel like failing a test? For many users, that’s exactly what it feels like. This creates embarrassment and feels like a negative mark against the user. For some, it even discourages them from reporting issues at all, which creates bigger headaches.
If someone clicks on a simulated phishing email and feels judged for it, they’re less likely to admit when they make the same mistake with a real one. That delay in reporting can be far more damaging than the initial click itself. A more effective approach is to treat phishing simulations as practice rather than an assessment.
Traditional security awareness training is something that’s done to users, not with them. They’re assigned training, (begrudgingly) complete it, then return to their day-to-day work without any reason to think about it again. That lack of ownership limits the impact of the training.
Behavior is more likely to change when users understand that security is part of their role, not just the responsibility of IT. Every employee (in most businesses) interacts with email, systems, and data. Once they understand that their actions have a direct impact on the organization’s security, training becomes personal, not procedural.
It also gives them visibility into their progress. When users see they’re improving over time, they’re more likely to stay engaged. Improvement becomes something they take ownership of, rather than something they are being measured against. It might even become something they celebrate.
For MSPs, this is where the shift happens. You move from delivering a requirement to helping your clients build a stronger, more resilient security culture.
There is a simple idea that can help reframe how user behavior is viewed. When students used to tell me, “I don’t understand this,” my response was always, “Not yet, but you will!” The same principle applies to security awareness.
Users might not recognize phishing emails… yet.
They might not know what to do when they see a warning sign… yet.
This perspective shifts the focus from a fixed limitation to a process of improvement. It encourages patience and consistency. Behavior change takes time, and it rarely happens in a straight line. There will be mistakes along the way, which is all part of the process. For MSPs, this mindset supports a more realistic and effective approach to training.
Progress becomes the goal, rather than perfection.
Improving security awareness training does not require a complete redesign. It requires a shift in focus. Instead of asking whether training has been completed, it’s more useful to ask whether behavior is improving over time. There are several practical ways to support that shift.
Training should be:
Phishing simulations should be:
You should reinforce progress rather than punish errors, because highlighting improvements is what encourages continued engagement and builds confidence. What does that look like?
Finally, measurement should focus on trends rather than individual moments. A single mistake does not define a user, but patterns over time can show whether training is having the intended effect. Here’s what you should measure:
These changes help create a more effective learning environment while also making training easier to manage across multiple clients.
Most users don't come to work intending to create a security risk. If they do, you’ve got problems that SAT won’t solve. Most users want to do their jobs well and avoid issues. In many cases, they simply haven’t been given the right environment to learn effectively.
When training feels irrelevant, engagement drops. When mistakes feel risky, they get hidden. Without a sense of ownership, behavior remains unchanged. Conversely, when those conditions change, behavior changes with them.
Cybersecurity awareness training works best when it reflects how people actually learn and when it supports users to improve over time. It’s not that users don’t care.
They simply haven’t learned in the right way - yet.
Use this infographic to start creating better cyber habits among your end-users: 6 Best Practices for Security Awareness Training