How to f*ck up your security awareness program – a short guide
At Cybersec Europe 2026 in Brussels, Arno van den Hof, Country Manager forJunglemap Benelux, delivered a thought-provoking presentation with adeliberately provocative title: "How to F*ck Up Your Security AwarenessProgram – A Short Guide."
.jpg)
Behind the humour was a serious message. Many organisations invest significant time and money in security awareness initiatives yet still struggle to create lasting behavioural change. The problem is often not a lack of effort, but a reliance on approaches that are unlikely to work in the first place.
The biggest mistake:Treating awareness as a one-off event
One of the most common ways to undermine a security awareness programme isto view it as a project rather than an ongoing process.
Many organisations still rely on annual training sessions or occasional awareness campaigns. While these activities may satisfy compliance requirements, they rarely have a lasting impact on employee behaviour.
People forget. Priorities change. New threats emerge.
Creating a security-conscious culture requires continuous reinforcementrather than isolated learning events.
Information is not the same as behaviour change
Another key point was the difference between knowledge and behaviour.
Most employees already know they should not click suspicious links, reuse passwords, or share sensitive information. Yet incidents continue to occur.
Why?
Because human behaviour is influenced by habits, context, stress, workload,and social factors. Simply providing information does not automatically lead to safer actions.
The goal of security awareness should therefore be to influence everyday behaviour, not just increase knowledge.
Stop measuring activities - start measuring behaviour
Security awareness programmes are often evaluated using metrics that areeasy to collect but difficult to connect to actual risk reduction.
Completion rates, attendance numbers, and quiz scores may indicate participation, but they do not necessarily reveal whether employees behave differently when confronted with a real-world threat.
Organisations should focus more on behavioural indicators and long-term trends than on simple activity metrics.
Awareness must fit into everyday work
A recurring theme throughout the presentation was the importance of makinglearning part of employees' daily routines.
Long training sessions compete with employees' primary responsibilities and are easily forgotten. Short, relevant, and frequent learning experiences are far more likely to be remembered and applied when needed.
This is one of the core principles behind NanoLearning: delivering small,manageable learning moments that help keep security top of mind throughout the year.
Building a security culture takes time
Perhaps the most important takeaway was that there is no quick fix.
Creating a strong security culture requires consistency, repetition,leadership support, and a realistic understanding of how people learn and change behaviour.
Organisations that treat awareness as a continuous journey rather than a compliance exercise are far more likely to see meaningful and lasting results.
Final thoughts
Arno van den Hof's presentation challenged some of the most common assumptions about security awareness. Rather than focusing solely on knowledge transfer, organisations should concentrate on creating sustainable behavioural change through continuous engagement, practical relevance, and regular reinforcement.
In other words, if you want to avoid "f*cking up" your securityawareness programme, stop thinking about awareness as training—and startthinking about it as behaviour change.
Watch Arno van den Hofs sold out presentation from Cybersec Europe here:
