Beyond Cyber Awareness Training 2021: A New Approach

Let's be honest: getting teams excited about security training is tough. You've tried everything to improve engagement in security awareness training, but the results feel flat. Why? Because the old methods, like the ones common in 'cyber awareness training 2021', were designed to check a box, not change behavior. They measured clicks and course completions, leaving you with vanity metrics instead of real risk reduction. It's time for a new approach. One that moves beyond participation and builds a truly resilient security culture based on quantifiable data.

Employees already have full plates and want to know what they’ll get for putting their work aside to go through training. And oftentimes, the ol’ “way to go!” and a pat on the back just isn’t enough...

So program owners rely on rewards to boost participation and engagement, but free days off and prizes can be expensive to give out, and many security training budgets simply don’t have the extra wiggle room. 

Luckily, there are a few other creative ways to get employees excited about training that won’t break your budget. Consider implementing one or more of the following incentives:

Cybersecurity Awareness Training for Government and Defense Agencies

For government and defense agencies, cybersecurity training is not optional; it is a foundational requirement built into their operational framework. These organizations face unique and persistent threats, making a security-conscious workforce a matter of national security. As a result, their training programs are highly structured, guided by specific regulations and supported by dedicated federal agencies. Understanding this landscape of mandatory training provides a clear picture of a compliance-driven approach, highlighting both its strengths and the opportunities to build upon it for greater risk reduction. The following sections outline the key requirements and resources shaping cybersecurity awareness within the U.S. government and military branches.

Department of Defense (DoD) and U.S. Army Requirements

Within the Department of Defense, cybersecurity readiness is a critical component of mission success. The U.S. Army, for example, enforces rigorous training protocols to ensure all personnel, from soldiers to civilian contractors, understand their role in protecting sensitive information and systems. These requirements are not just suggestions; they are codified in official regulations and managed through centralized systems. This structured approach ensures a consistent baseline of knowledge across the entire force, establishing a clear standard for cyber hygiene and accountability. The goal is to create a unified defense where every individual acts as a vigilant sensor against potential threats.

Transition to the Army Training Information System (ATIS)

To streamline and modernize its training delivery, the U.S. Army has transitioned its cybersecurity awareness programs to the Army Training Information System (ATIS). This move centralizes training modules, including the essential Cyber Awareness and Cyber Fundamentals courses, onto a single, updated platform. By consolidating resources, the Army makes it easier for personnel to access required training and for leaders to track completion rates. This shift reflects a broader commitment to leveraging technology to enhance efficiency and ensure that the entire force remains current with evolving cyber defense protocols and best practices.

Guidance from Army Regulation 25-2 (AR 25-2)

The cornerstone of the Army's cybersecurity policy is Army Regulation 25-2 (AR 25-2), which outlines the comprehensive framework for protecting the Army's information and IT systems. This regulation serves as the authoritative guide for everything from acceptable use policies and user agreements to incident reporting procedures. For security program owners, AR 25-2 provides the clear mandate for implementing and enforcing annual cybersecurity training. It establishes the non-negotiable requirements that form the basis of their compliance efforts, ensuring every user understands their responsibilities in safeguarding critical digital assets.

Defense Counterintelligence and Security Agency (DCSA) Courses

The Defense Counterintelligence and Security Agency (DCSA) plays a vital role in providing standardized cybersecurity training across the defense sector. Its courses are specifically designed to address the threats facing government and defense computer systems, offering a curriculum that is both comprehensive and highly relevant to the work personnel perform. The DCSA's approach emphasizes foundational knowledge, ensuring that everyone with access to sensitive networks understands the common threats and the proper procedures for mitigating them. Upon completion, participants receive a certificate, which serves as formal validation of their training and is often a prerequisite for system access.

Course Overview and Certification

The DCSA's cybersecurity awareness course is a core component of its educational offerings, providing essential knowledge for personnel operating within government and defense environments. The curriculum covers critical topics such as identifying phishing attempts, handling sensitive data, and recognizing insider threats. The program is designed to be accessible yet thorough, culminating in a certificate of completion. This certification is more than a formality; it is a key part of the compliance process, verifying that an individual has met the baseline training requirements needed to work with secure government systems.

Supplemental DCSA Training Materials

Recognizing that annual training is just one piece of the puzzle, the DCSA offers a suite of supplemental materials to reinforce learning throughout the year. Resources like "Cybersecurity Shorts" provide quick, digestible lessons on specific topics, making it easy for personnel to refresh their knowledge on demand. Additionally, the "Cybersecurity Toolkit" offers practical tools and job aids that help translate training concepts into daily practice. These materials support a culture of continuous learning, helping to keep cybersecurity top-of-mind long after the formal training course is completed.

Cybersecurity and Infrastructure Security Agency (CISA) Resources

The Cybersecurity and Infrastructure Security Agency (CISA) serves as a central resource for strengthening the nation's cyber defenses, offering training and exercises for a wide audience. Its mission extends beyond federal employees to include state and local governments, private-sector partners, and operators of critical infrastructure. CISA's initiatives are designed to build a resilient and prepared workforce capable of defending against a wide spectrum of cyber threats. By providing accessible education and collaborative exercises, CISA fosters a unified, nationwide approach to cybersecurity, ensuring that different sectors can work together effectively to protect shared digital ecosystems.

Training for Federal Employees and Critical Infrastructure

CISA provides a broad array of training and educational resources tailored to the diverse needs of the public and private sectors. For federal employees, these programs ensure a consistent understanding of cyber risks and best practices across all government agencies. For those managing the nation's critical infrastructure, CISA offers specialized training focused on protecting essential systems like energy grids, financial networks, and transportation. This comprehensive approach helps create a robust national security posture by equipping a wide range of professionals with the skills needed to anticipate and counter cyber threats.

National Preparedness with Cyber Storm Exercises

To test and refine the nation's cyber readiness, CISA regularly conducts large-scale exercises like Cyber Storm. This biennial event simulates a significant, coordinated cyber attack on critical infrastructure, allowing public and private sector partners to practice their incident response plans in a realistic environment. These exercises are invaluable for identifying gaps in communication, coordination, and technical capabilities before a real crisis occurs. By pressure-testing defenses in a controlled setting, Cyber Storm helps improve the country's collective ability to withstand and recover from sophisticated cyber attacks, enhancing overall national preparedness.

Moving Beyond Compliance: How to Improve Engagement in Security Awareness Training

Meeting the compliance standards set by agencies like the DoD and CISA is essential, but checking the box on annual training is no longer enough to defend against modern threats. True risk reduction comes from changing behavior, and that requires a program that employees find relevant and engaging. The challenge is to evolve from a compliance-first mindset to a risk-first strategy. This means moving beyond one-size-fits-all training modules and toward a more intelligent, data-driven approach that addresses the specific risks individuals and teams face every day. When training is personalized and contextual, it transforms from a mandatory chore into a valuable tool for personal and organizational security.

An effective Human Risk Management (HRM) program provides the foundation for this shift. Instead of relying on completion rates as a measure of success, an HRM approach makes human risk visible and measurable. At Living Security, our platform achieves this by analyzing over 200 signals across employee behavior, identity and access systems, and real-time threat intelligence. This correlation delivers a comprehensive view of where risk truly lies, allowing you to identify the individuals, roles, and access points most likely to be involved in an incident. This predictive insight enables you to move from reactive training to proactive, targeted interventions that change behavior and prevent incidents before they happen.

This modern approach makes security training more effective and engaging. With our AI guide, Livvy, security teams receive evidence-based recommendations to address emerging risks. The Living Security platform can then autonomously orchestrate routine response actions, from delivering adaptive phishing simulations and targeted micro-training to reinforcing policies, all while keeping your team in control with human-in-the-loop oversight. By delivering the right intervention to the right person at the right time, you make security personal and actionable. This not only strengthens your security posture but also fosters a positive culture where employees see themselves as vital partners in the defense of the organization.

1. Gamify Your Security Awareness Training

When using a robust security training platform, you should expect some sort of built-in reward functionality. For instance, here at Living Security, our platform uses a ranking system, which gives participants points every time they complete a training module. Participants not only climb to different “Levels,” but they also have a “Leaderboard” to see how they’re stacking up against other employees. 

Our platform also automatically triggers “badges” that participants can earn. Some include:

• Raining Stars: Participant provides a rank on the content.
• Perfect Score: Content is completed on the first try without error. That is. the maximum security score is attained!
• Feedback Royal: Participant provides comments on content.
• Early Bird: Content is completed before the due or expiration date.

These small badges, rankings, and digital high fives are a nice way to give online training an interactive touch without dipping into your awareness program budget.

2. Automate Encouragement to Keep Learners Engaged

While sending out random “great work!” emails to all participants seems impossible for large companies, there are ways to automate training reminders. With the Living Security training platform, for instance, you can choose from helpful default training notification email types, such as:

• Assignment date emails. This email gently reminds users when a training module is assigned and when it’s due.
• Mandatory or optional emails. Not all departments need the same type of security awareness training. We give you the option to send participants details about which modules are required or which are helpful “extras” for them to explore beyond the required. 

You might think, “why would someone do a lesson that’s not required?” but here at Living Security our “Netflix-style” mini-series are just as entertaining as they are informative that employees love watching episodes at work.

• Overdue reminder email(s). If a due date for a training assignment slips by, our automatically triggered emails nicely remind your team they're falling behind—and on which modules. These reminder emails can even be set to repeat every few days to keep employees on top of training.
• Campaign follow-ups. So you ran a phishing campaign and some employees fell for it. But what kind of follow-up are you doing? Send an end-of-campaign email declaring it’s over, and give a shout=out to some people who didn’t fall for the phishing, while still being kind to those who did. This is a great place to provide additional resources for recognizing tricky phish scams to help those who struggled.
  
  

3. Reward Progress with Praise and Prizes

Listen, we know that employees want more than a generic, automated “good job!” email that’s sent to everyone. But Security Awareness Program Owners with thousands of employees in awareness training just don’t have the time to curate personalized messages or give out prizes to everyone. And you shouldn’t be expected to!

However, we do think there is a time and place for personalization, even in large-scale awareness programs. Whether that means giving individual team managers the assets they need to distribute praise or gifts themselves or randomizing the rewards with an unbiased name shuffler. You can also think of creative ways to give a few lucky employees recognition and show your appreciation for their impact on your security. 

Read our 5 Ways To Reward Your Team During Cybersecurity Awareness Training for more terrific tips.

From Awareness to Action: The Human Risk Management Approach

While gamification and automated reminders can improve participation in security training, they often stop short of the ultimate goal: changing behavior to reduce organizational risk. A high completion rate doesn't guarantee an employee will spot a sophisticated phishing attempt or handle sensitive data correctly under pressure. These engagement tactics are a great first step, but to truly fortify your security posture, you need to move beyond simple awareness. Adopting a strategic framework like Human Risk Management (HRM) makes risk visible, measurable, and preventable. Instead of a one-size-fits-all approach, HRM uses a data-driven methodology to understand specific risks individuals pose and delivers targeted interventions, shifting the focus from checking a compliance box to achieving a measurable reduction in security incidents.

Limitations of Traditional Training

Traditional security awareness training operates on the flawed assumption that knowledge equals secure behavior. Employees are busy and often see training as just another task to complete. Even when it’s engaging, it rarely accounts for the specific context of an individual's role, access level, or the real-world threats they face. A marketing specialist and a systems administrator are exposed to vastly different risks, yet they often receive the same generic modules. The metrics are also insufficient; tracking course completions tells you who participated, but it reveals very little about their actual security competence. This leaves security leaders with engagement data but no real insight into their organization's human risk posture, making it impossible to prove the value of security initiatives.

A Data-Driven Foundation for Reducing Risk

An effective HRM program is built on a foundation of data, not assumptions. It begins by making human risk something you can see and quantify. Instead of just pushing out training content, this approach involves gathering signals from across your security ecosystem to build a comprehensive picture of where your vulnerabilities are. This allows you to move from reactive, compliance-driven activities to a proactive model focused on preventing incidents before they happen. The Living Security Platform is designed to provide this visibility, helping you understand not just what your people know, but how they act. This intelligence enables you to prioritize your efforts, tailor your interventions, and ultimately build a more resilient security culture based on evidence.

Correlating Behavior, Identity, and Threat Data

To get an accurate view of human risk, you cannot look at any single data point in isolation. A powerful HRM strategy correlates information across three critical pillars: employee behavior, identity and access systems, and real-time threat intelligence. Behavior data tells you how employees act, but it becomes far more powerful when combined with identity data, which reveals what systems they can access. A user who repeatedly clicks on phishing links is a concern; that same user with administrative privileges is a critical threat. By adding threat intelligence to understand who is being targeted, you gain a holistic view. The Living Security platform analyzes over 200 of these indicators, allowing you to predict and prioritize the individuals who pose the greatest potential impact to the organization before a risk becomes an incident.

Simplify Your Awareness Program with Campaign in a Box

Don’t spend days on end crafting personalized reminders, supportive materials, and thank you messages. Your skills are needed elsewhere!

With our Campaign in a Box, program owners like you can access pre-written messages to support your teams and keep training top of mind—without the work. 

Each month, we have a new topic theme—like data privacy in January or social engineering in February—and provide chat messages, emails, and blogs for you to send to employees.

Frequently Asked Questions

My team already uses gamification and rewards. Isn't that enough to improve engagement? Gamification and rewards are excellent for getting people to participate, but they don't tell you if the training is actually changing behavior. High scores and completion rates are a good start, but they don't measure risk. A Human Risk Management (HRM) approach goes deeper by analyzing data to see who is most likely to cause an incident, allowing you to deliver targeted help where it's needed most. It shifts the goal from participation to provable risk reduction.

How does a Human Risk Management program work with strict compliance requirements, like those for government agencies? Compliance is the foundation, not the ceiling. An HRM program builds on your compliance efforts by making them more intelligent and effective. While regulations mandate that everyone receives training, an HRM platform helps you identify which individuals or teams pose the highest risk. This allows you to focus additional resources on them, strengthening your security posture and demonstrating a proactive, risk-based approach that goes beyond just checking a box.

What do you mean when you say you correlate data across behavior, identity, and threats? To understand risk, you need the full picture. Looking at behavior alone, like who clicks on a phishing link, is only one part of the story. We combine that with identity data, which tells us what systems and information that person can access. Then, we add threat intelligence to see if that person is being actively targeted by attackers. Correlating these three data sources gives you a complete and accurate view of your actual risk.

How is this different from the security awareness training platform we already use? Traditional platforms focus on delivering content and tracking who completed it. They measure awareness. Our platform is designed to measure and reduce risk. Instead of just providing training, it uses predictive intelligence to identify risky patterns before they lead to an incident. It then helps you act on those insights with targeted interventions, shifting your program from a reactive educational tool to a proactive risk management system.

An AI-native platform sounds like it would be a lot for my team to manage. How much work is involved? The platform is designed to make your team more efficient, not busier. Our AI guide, Livvy, does the heavy lifting of analyzing data and provides clear, evidence-based recommendations. It can also autonomously handle many routine tasks, like sending targeted micro-trainings or policy reminders. Your team remains in full control with human-in-the-loop oversight, allowing them to focus their expertise on the most critical risks.

Key Takeaways

• Shift your goal from compliance to risk reduction: Instead of focusing on course completion rates, build a security program that measurably changes employee behavior and strengthens your organization's defenses against real-world threats.
• Use engagement tactics as a starting point, not the finish line: Gamification and rewards can improve participation, but they are not substitutes for a strategy that addresses the root causes of human risk and builds lasting security habits.
• Adopt a data-driven approach for targeted action: Gain a clear view of your security posture by correlating data across employee behavior, identity access, and threat intelligence. This allows you to deliver precise, effective interventions to the right people before an incident occurs.

Related Articles

• Why Your Security Awareness Training Just Isn't Working
• Why Security Awareness Training Is Important But Not Enough
• Phishing Red Flags: Modern Security Awareness Tips | Living Security
• Interactive Cyber Security Training: A Complete Guide
• 6 Security Awareness Metrics That Actually Matter