Keepnet Labs Logo
Keepnet Labs > blog > why-is-traditional-security-awareness-training-inadequate

Why is Traditional Security Awareness Training Inadequate?

Discover the New Trend: Building a Security Culture!

Why is Traditional Security Awareness Training Inadequate?

Risk identification and assessment studies in the past year have revealed that human error remains a significant contributor to data breaches, contributing to 90% of incidents. It's evident that 36% of these breaches result from phishing attacks, a clear indication that human factors are vital in risk mitigation. These figures highlight the necessity of reimagining employee security training to include more than traditional training and phishing simulations. Strengthening the security culture in organizations calls for a multi-pronged and employee-centric approach.

In this article, we will discuss the essential role of promoting security culture and why typical security awareness training falls short.

Security Awareness Training: A Piece of the Puzzle

The effectiveness of security awareness programs hinges on the active engagement of the entire organization. Businesses often struggle to effectively manage cybersecurity risks due to the absence of a systematic approach to human risk identification and personalized cybersecurity awareness content.

According to Gartner's 2022 Secure Behavior Surveys, while 90% of employees undergo cybersecurity awareness training, 70% exhibit behaviors that defy security best practices. This fact underscores that standalone security awareness training is no longer adequate, and there is a compelling need to foster a robust security culture. This shift would require steps that encourage secure employee behavior, enhancing organizational resilience.

Building a Security Culture: Bridging the Gap through Training and Development

Security awareness training provides a consistent foundation of knowledge, but without fostering a culture of behavioral safety, risky actions persist. To address this, cybersecurity culture programs utilize behavioral science principles, data analytics, and automation, encouraging a shift towards cultivating a secure environment.

Most organizations offering employee security training focus on basic skills and compliance-based training. Yet, these trainings often fail to bring about significant changes in human risk.

By implementing security culture programs incorporating behavioral science principles, data analytics, and automation, organizations can foster measurable cultural change and mitigate risks. In this scenario, security awareness programs will not only focus on compliance but also on managing human risks effectively.

The PIPE Framework, published by Gartner, advocates for this holistic approach, emphasizing the need for promoting security awareness, not just as information dissemination, but also as a means of instigating behavior and culture change.

Unpacking the Gartner PIPE Framework

The Gartner PIPE (Performance, Information, Process, Ecosystem) Framework offers a comprehensive method to design and implement security culture programs, enhancing organizational resilience. This framework provides a holistic approach:


Performance, an essential component of risk assessment, measures and tracks employees' adherence to cybersecurity best practices. Metrics such as click rates on phishing emails or response times to security breaches can monitor employee behavior.


Information involves what employees understand about cybersecurity. Providing information through training sessions and meetings increases security awareness, enabling employees to identify security threats and adopt safer behaviors.


Process involves policies, procedures, and guidelines that foster secure behaviors, such as secure password practices, two-factor authentication, or reporting security breaches.


The ecosystem embodies the internal and external environment, culture, and values of an organization. This ecosystem promotes secure behaviors through leadership support, positive security culture, and a reward system.


Building a security culture requires effective design of security culture programs, which is where the Gartner PIPE framework becomes essential. It considers not only the technical and informative aspects, but also the cultural and procedural aspects necessary to sustain secure behaviors.

Incorporating this framework helps reduce human-centered cybersecurity risks. Making employees conscious about cybersecurity is an integral part of information security strategies, achievable not just through technical measures, but also by fostering a culture that promotes and sustains secure behaviors.

Next Steps: Seize the Opportunity! Supercharge Your Security with the PIPE Framework!

Don't wait another moment – take action now and unlock the full potential of collaboration. As seasoned experts in the cutting-edge PIPE Framework, we're ready to empower you with unparalleled guidance on its implementation.

Together, we'll propel your progress and conquer new heights of success. Let's construct a fortress-like security infrastructure and conquer any risks that may come your way. Waste no time – reach out to us immediately, and let's elevate your security to unprecedented levels!



Schedule your 30-minute demo now

You'll learn how to:
tickAutomate behaviour-based security awareness training for employees to identify and report threats: phishing, vishing, smishing, quishing, MFA phishing, callback phishing!
tickAutomate phishing analysis by 187x and remove threats from inboxes 48x faster.
tickUse our AI-driven human-centric platform with Autopilot and Self-driving features to efficiently manage human cyber risks.
iso 27017 certificate
iso 27018 certificate
iso 27001 certificate
ukas 20382 certificate
Cylon certificate
Crown certificate
Gartner certificate
Tech Nation certificate