Security awareness programs fail because organizations confuse knowledge with behavior change. Companies deliver annual hour-long training sessions that employees click through before returning to risky behaviors unchanged. Traditional approaches ignore behavioral science fundamentals. Training programs treat 10-year veterans similar to new hires, measure success through click rates rather than risk reduction, and operate as tick-the-box compliance exercises instead of adaptive security strategies.

Effective programs require shifting from bulk learning to continuous reinforcement, differentiating training by role and tenure, and measuring what actually reduces organizational risk.

In this session, Kim de Wit of SoSafe will explore:

• Applying behavioral science to drive action through positive security culture, consequence awareness and clear reporting systems;
• Replacing annual training marathons with short, continuous micro-moments, new hire packages and differentiated learning paths that don't blame repeat learners;
• Moving beyond click rates to industry-comparative metrics, adaptive approaches targeting high-risk departments and user feedback loops that identify genuine knowledge gaps.