The Myth of the Well-Educated Employee
The annual security e-learning window has just closed. The CISO sits in the boardroom, pointing to a slide showing a 95% completion rate. The directors nod, satisfied that the "human risk" box is firmly ticked and that the latest policies have been signed. Meanwhile, in the marketing department, an employee is bypassing the company’s secure file-sharing system and using a personal cloud account. They aren't being malicious; they are just in a hurry.
This is what I call the Training Paradox. In our 2025 survey of 2,000 Nordic employees, we found that only 5% had never received training. On paper, our workforce is the most educated it has ever been.
However, our data tells us that training alone isn't a silver bullet. While 80% of respondents have completed their annual e-learning, 25% admit that it hasn't changed their behaviour at all. Even more concerning, one-third of employees still believe IT security is solely the responsibility of the IT department.
The Knowledge–Action Gap
I recently sat down with behavioural designer Casper Danholt Iuul to discuss why this gap exists. He explained that our brains operate in two modes: System 1 (fast, intuitive, and habit-driven) and System 2 (slow, logical, and analytical). Policies and quizzes are designed for System 2. They provide the necessary rules and logical framework. But when a deadline looms and stress levels rise, System 1 takes over. We revert to the easiest path - the habit - rather than the policy we signed three months ago.
If nearly 15% of employees are unsure when they last received instructions, the training was likely a "check-the-box" exercise rather than a memorable experience. We must move toward an integrated approach where the policy isn't just a document but a living part of the culture.
3 Steps You Can Take Today
- Tell them what TO do: Replace technical jargon with concrete instructions. Instead of explaining malware, try: "Only click links from people you know." By removing cognitive friction, the secure path becomes the easiest one.
- Segment your personas: A developer’s risks differ from a receptionist’s. Move away from "one-size-fits-all" and tailor content to specific daily tasks. Relevant tools are always more effective than mandatory lectures.
- Audit the "Friction Factor": Employees bypass rules to stay productive. If you want people to report phishing, don't make them hunt for an IT handbook—give them a "Report" button in their inbox. When you reduce effort, security shifts from a conscious effort to an effortless habit.
For more insights on bridging the knowledge-action gap, download our white paper on security awareness and employee behaviour.
Security isn't a static checklist you complete once a year; it’s a connected journey. It starts with the right policy, continues with an engaging awareness campaign, and succeeds only when those rules become second nature in the heat of the workday.
Strengthen security awareness
See how NorthGRC helps you share policies, train employees and track awareness across your organisation.
Learn about the Awareness module
