Why Security Awareness Training is like Chocolate Cake

Share with your network!

What happens when you take eggs, flour, sugar, cocoa powder, baking powder & soda, milk, salt, vegetable oil, vanilla extract, and water to make chocolate cake. Well, you have ingredients that could be made into a delicious chocolate cake. If they’re in the right amount, put together at the right time, and not over or under-baked. I’m sure Mary Berry or Paul Hollywood could explain it better.


Security awareness programs are a lot like baking a chocolate cake. Which is why we put together our "E-book of recipes" about security awareness training. It’s all about planning, timing, getting the right amounts, and executing so your cake security awareness program is in “harmony”. We know the stakes are incredibly high for security awareness training success. With 94% of attacks targeting people according to the 2019 Verizon DBIR, a strong line of defense with your people becomes pertinent to your overall security strategy.

More Important than Anything: Starting Somewhere

Something we’ve learned from customers over the years is that security awareness is an ongoing process. You may not start off with a show-stopper cake at your first attempt, but none do. Different activities, from simulated phishing to online training to in-person events may get approved. Budgets may dictate if you can have software, an in-person event, or even giveaways. But having all the resources at your disposal isn’t necessary to start something.

Putting aside budget for a moment – when starting a program leveraging as many communication channels, internal departments, and creative ideas as you can muster may be the spark that lights the eventual security awareness investment.

One customer, who had trouble initially getting budget for security awareness software or staff, started a chat channel to answer cybersecurity questions from users – everything from social messages that look phishy to advice about purchasing and securing new devices. The channel grew from one to tens to hundreds of users posting, which got management’s attention that security awareness needed more formalized resources and a budget.

Maximize Your Security Awareness Journey

To help start or improve your security awareness program, we put together an e-Book, Driving Real Behavior Change: The Complete Guide to Building a Security Awareness Program that Works. We highlight key facts, strategies, resources, and tips you can utilize regardless of your vendor to implement your security awareness program.

Some highlights and quick tips from the eBook:

  • Communicate with user benefits in mind: You’re there to help users be successful in their everyday cybersecurity habits at work and home
  • Frequency is essential for ongoing success: 84% of organizations conduct security awareness training on a quarterly or more frequent basis
  • Add some flavor to your program: Branded programs with customized content are more successful because they’re more relevant and interesting
  • Don’t be afraid of repetition: According to the “Rule of Seven,” advertisers must get their message in front of someone at least seven times to make it stick
  • Be positive. Use “reporting rate” rather than “click rate” of simulated phishing: This puts your program and users in a better light when communicating to key stakeholders
  • Don’t expect perfection: There is no organization that will have no users clicking on simulated phishing and 100% of employees fully knowledgeable in cybersecurity

2020 has taught us that the threat landscape will change, and it’s important to be prepared and ready to adapt regardless of the circumstances. Coming up with a perfect two-year plan and executing it exactly is unrealistic in most scenarios. But being able to evolve your program to adapt to the needs of your users, and the reality of your organizational landscape is critical to being successful with security awareness.