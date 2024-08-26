Most security awareness programs today provide employees with information they need about handling data, GDPR rules and common threats, such as phishing.

However, there is one major weakness with this approach: the programs don’t consider human behavior. They typically follow a one-size-fits-all approach, with employees completing annual generic computer-based training with some slick animation and a short quiz.

While this provides necessary information, the rushed nature of the training and lack of personal relevance often results in employees forgetting the information within just 4-6 months. This can be explained by Daniel Kahneman’s theory on human cognition. According to the theory, every individual has a fast, automatic, and intuitive thought process, called System 1. People also have a slow, deliberate and analytical thought process, called System 2.

Traditional security awareness programs primarily target System 2, as the information needs to be rationally processed. However, without sufficient motivation, repetition and personal significance, the information usually goes in one ear and out the other.