Cybersecurity training assumes everyone is the same; they’re not

Cybersecurity training today is built on the assumption that phishing risk is evenly distributed and that anyone not sufficiently aware might fall for a scam.  

As such, organisations respond in predictable ways with standardised e-learning, generic simulations, and reminders to “think before you click.” 

But this assumption is flawed because phishing susceptibility is not evenly spread - it is shaped by roles, environments, and the behaviour that organisations actively encourage. Until we recognise this, training will continue to miss the mark. 

Awareness is not the issue 

In most public sector organisations, awareness is already high. Officers know the basics: 

Don’t click on suspicious links. Don’t share credentials. Verify unknown requests.

Yet incidents still happen. 

This is because phishing doesn’t exploit ignorance; it exploits: (a) how people act under pressure, within context, while trying to do their jobs well; and (b) how decisions are driven by personality, emotion, and situation, not knowledge alone. 

Public service creates predictable risk 

Every organisation selects employees with certain personality traits. 

In government, by nature of the work, they hire for conscientiousness, duty orientation, respect for authority, and comfort with process and compliance. 

These traits are essential as they enable reliability, consistency, and public trust.

They, however, also create predictable patterns of behaviour that modern phishing attacks exploit.  

Risk sits in roles, not randomly 

Phishing risks aren’t spread evenly. It clusters. 

• Operations and policy roles are conditioned to respond quickly to authority 

• Finance and procurement react to urgency around payments and audits 

• Human Resources (HR) and admin are exposed to empathy-driven narratives 

• IT and security face risks from alert fatigue and overconfidence 

• Senior leaders operate through high-trust, informal channels that bypass controls 

These are not isolated weaknesses; they are role-shaped exposures. Which means a one-size-fits-all training approach will always fall short. 

We’re asking the wrong question 

Most programmes still start with: “Do our staff know what phishing is?” 

In most organisations, they do. But the better questions are: Where is susceptibility concentrated? What triggers action in each role? Which organisational norms amplify risk? 

These are not training questions; they are leadership questions. 

Train for behaviour, not awareness 

If the risk is uneven, training must be as well. This means moving away from mass awareness towards targeted behavioural interventions: 

• Role-specific scenarios instead of generic examples 

• Function-based simulations instead of broad campaigns 

• Safeguards designed around real workflows 

The goal isn’t simply more training; it’s more relevant to training. 

A necessary shift 

Phishing resilience will not improve by doing more of the same. 

It improves only when organisations accept the more fundamental truth that risk is not evenly distributed and hence, training cannot be either.  

Effective cybersecurity is no longer just about raising awareness; it’s about designing systems that reflect how people actually think and decide. Until that shift happens, phishing will remain a persistent problem. 

Not because people don’t know better, but because we are still not training for reality. 

-------------- 

The author is a former military security officer and senior communications leader with over 30 years of experience. He helps organisations strengthen their human firewall by transforming employees from the weakest link in cybersecurity to the first line of defence. He has previously worked for the Singapore Armed Forces, Prime Minister’s Office, and A*STAR, leading crisis response teams, advising political office holders, and building communication strategies that work under pressure.