The Power of Why: Making Cybersecurity Training Stick
It’s not that people don’t care about security, it’s that we often fail to tell them why it matters.
In this week’s Cyberside Chats episode, LMG Security’s Matt Durrin, director of training and research, sat down with Senior Cybersecurity Consultant Todd Stewart to unpack what makes security training actually work. Their answer? It’s all about storytelling, engagement, and connecting cybersecurity to the “why” behind every action.
Lead With the “Why”
Cybersecurity can feel abstract or intimidating—full of acronyms and warnings that don’t resonate. “When you’re engaging somebody and talking to them about cybersecurity, you don’t make it all technical,” Stewart said. “You make it what’s in it for them—the WIIFM.”
That shift in focus from compliance to personal relevance is what separates forgettable lectures from training that sticks. Instead of saying “90% of breaches start with phishing,” try something like, “One click could impact 10,000 coworkers.”
Durrin added that this approach applies to every topic. When explaining password security, for example, don’t lecture about entropy or brute force times. Tell a story about how reused passwords fuel real-world breaches. Let people see themselves in the narrative and understand why their actions matter.
Framing security as a shared challenge that protects both the company and employees’ personal lives helps it feel less like a rulebook and more like empowerment.
Turn Data Into Stories
Statistics are easy to forget. Stories aren’t.
Both Durrin and Stewart emphasized the power of storytelling to make security concepts stick. “If you start with statistics, you lose the room,” Stewart said. “But when you frame it emotionally and you show how a single decision affects others, then people connect.”
Consider passwords. On the dark web, more than 25 billion stolen credentials circulate at any given time, meaning many of the “clever” passwords people use are already compromised. Instead of rattling off that number, show employees what it means. Demonstrate how quickly a weak password can be cracked, or share anonymized examples from real breach data.
That lesson sticks because it’s personal. As Durrin noted, “Our brains aren’t designed to remember long strings of symbols. But if you teach someone to build a passphrase around a favorite song lyric or memory, they’ll actually do it.”
Storytelling transforms a training session from an obligation into a moment of understanding. For inspiration, see CISA’s guidance on building a security-aware culture or NIST’s awareness program recommendations.
Make It Experiential
One of the most effective lessons, Stewart recalled, came from a live password demo. “We used to have a local password checker; nothing went online, and people could type their own password and see how fast it would be cracked. That was powerful.”
Hands-on experiences like that help people internalize risk in ways that slides and statistics never can. Whether it’s a phishing simulation, a tabletop exercise, or an interactive quiz, engagement matters.
Even simple demonstrations like asking staff to spot the real login screen among a set of fakes can turn abstract threats into tangible skills. And for leadership teams, conducting a realistic tabletop exercise can surface hidden gaps in communication, escalation, and coordination before a real incident strikes. Read our ransomware and evergreen tabletop exercise blogs for our favorite scenarios, tips, and details on how they help teams build muscle memory for cyber crisis response.
Communicate Across Roles
No two audiences are alike. A CISO, an HR manager, and a finance director each have different motivations, and effective trainers know how to connect with all of them.
“You’ve got to read the room,” Stewart said. “If you know who’s there, you can tailor the message. Start with what matters to each group.”
For executives, that means emphasizing how cybersecurity supports business continuity and brand trust. For technical staff, focus on precision and process. For non-technical teams, use relatable analogies, like protecting your digital house the way you’d lock your front door.
Stewart calls security a shared responsibility: “We share workspaces, time, and culture. Protecting the organization means protecting the culture.”
That sense of shared purpose is key. A 2024 Forrester report on security culture found that organizations emphasizing cross-department collaboration were 45% more likely to reduce incidents caused by human error. When people feel part of the defense, not the target of a lecture, they engage.
Ditch the Fear Factor
For years, cybersecurity training leaned on fear: horror stories about breaches, ransomware, and million-dollar losses. The problem? Fear alone rarely changes long-term behavior.
As Durrin put it, “A lot of times people tell me, ‘Scare the hell out of them.’ Sure, we can do that, but it’s not effective.”
Instead of relying on “doom and gloom,” combine realism with solutions. Show employees what to do when something feels off. Celebrate those who report phishing attempts. Frame cybersecurity as a skill to be proud of, not a test to pass or fail.
Research backs this up: a Harvard Business Review study found that positive reinforcement and curiosity-driven learning lead to better retention and higher engagement than fear-based messaging.
When people feel empowered, they act faster and make smarter choices in real incidents.
Communication Is a Security Control
One of Stewart’s closing insights was simple but powerful: “Communication in cybersecurity is a layer 8 control.” In other words, human communication is part of your defense strategy.
When messages are confusing, inconsistent, or overly technical, people tune out, and mistakes happen. But when training connects with everyday experience and fosters open dialogue, your employees become your strongest security control.
As Stewart summed it up, “Security at its core is a human challenge, and we want to approach it that way.”
Conclusion: Build Your “Why” Into Every Exercise
Cybersecurity training shouldn’t be a checkbox. It should be a conversation that starts with why, tells a great story, involves hands-on experience, and makes every role part of the mission.
That same philosophy drives LMG Security’s tabletop exercises, technical training classes, and curated cybersecurity awareness training services. Whether it’s a tabletop exercise that brings together leaders from across departments to practice real-world incidents, strengthen communication, and test how your team performs under pressure, or cybersecurity awareness training to turn your employees into front-line defenders, we lead with the why to deliver engaging, impactful experiences.
Want to see how your organization performs when the pressure’s on? Explore LMG’s tabletop exercise offerings, technical training classes, and cybersecurity awareness training, and start turning your team’s “why” into lasting action.
