The Writing King Your Ethical Ghostwriter. Your Story, Done Right.

Security Training That Trains Nothing (And the Kind That Works)

TL;DR

Most corporate security training is a game you replay until you pass, and it changes nothing. The model that works tests people with real phishing and retrains the ones who click. I know both models from the inside: I have sat through the shoot-the-target compliance games as a consultant, and I rewrote Cyberheist, the book by KnowBe4 founder Stu Sjouwerman, twice, credited in print as contributing author and technical editor alongside Roger A. Grimes.

Because I work as a consultant, I periodically have to take some company’s mandatory security test before they will let me touch their systems. I am a security guy. I have spent decades in this field. And I sit there for an hour or two playing whatever gamified module their compliance vendor sold them: shoot here and learn a fact, click there and collect a badge.

I understand the intent. Someone decided training was tedious, so they made it a game, hoping fun would carry the content. What they actually built is tedium with graphics. I have never heard users say anything good about these modules, and the structural problem is worse than the aesthetics: you can retake the quiz until you pass. Get a question wrong, try another answer, try another, done. Nothing about that loop requires learning anything. It requires persistence, and it produces a compliance record, which is the actual product. The training exists so the company can say training occurred.

The model that works

Contrast that with the approach KnowBe4 built its business on. Users get real training about phishing and safe computing. Then, unannounced, they get tested with actual simulated phishing emails arriving in their actual inboxes on ordinary days. Click one, and you are routed back for more training. No badges, no target practice. A live test of the exact behavior that gets companies breached, with a feedback loop attached to the people who need it.

The difference is what is being measured. Gamified modules measure quiz completion. Phishing simulation measures whether a person, on a normal Tuesday, believing the email is real, clicks. Only the second number has anything to do with your breach risk, and I say that as someone whose own layered defenses once had to catch a phish that fooled me personally, a fake UPS notice timed five minutes after a real order. The click is human. The question is whether your training addresses the click or the checkbox.

The number that matters

The deep difference between the two training models is that only one produces a number. A completion-based program yields a completion rate, which measures administrative throughput and nothing else; every company that mandates the modules achieves roughly one hundred percent, eventually, and learns nothing from it. A simulation-based program yields a click rate: what fraction of your people, on an ordinary day, believing the phish was real, clicked. That number has properties completion rates lack. It has a baseline, it moves in response to training, it varies by department in ways that tell you where your risk concentrates, and it corresponds to the actual event, the click, that begins most real breaches.

Once the number exists, security awareness stops being a belief and becomes a program you can manage. You can watch it fall as training lands, watch it spike when a cleverly themed simulation defeats a department, and target the retraining where the clicks are instead of carpet-bombing the whole company annually. Nothing about that is exotic. It is the same measure-and-iterate loop every other business function runs, applied to the human layer, and the strange thing is how recently that became normal in security.

Completion rates measure paperwork. Click rates measure breaches. Only one of those numbers is about security.
Share on X

My Cyberheist years

My view of KnowBe4 is not from the outside. Stu Sjouwerman, the company’s founder, wrote a book called Cyberheist about phishing and the business of cybercrime. A few years on, it had gone obsolete, so he brought me in to update it. Years later he brought me back, and that second pass was nearly a rewrite: the 2020 edition, roughly three hundred pages, which KnowBe4 still offers for download. The credits page lists Richard Lowe as contributing author and technical editor, working alongside Roger A. Grimes, one of the most published authors in security. Stu has since sold the company for a fortune he thoroughly earned, and I confess I wish I could do that.

Rewriting a security book twice, years apart, teaches you something about the field: the technology in the first edition ages into obsolescence, and the human chapters barely need touching. Phishing in the rewrite was phishing in the original with better grammar and worse consequences. That is the entire case for training that targets behavior. The attacks that persist are the ones aimed at people, so the training that matters is the kind that measurably changes what people do.

What executives should take from this

If your security training is a module with a replay button, you have purchased evidence, not defense. Ask your team two questions: what percentage of our staff clicks a simulated phish, and is that number falling? If nobody can answer, the training program has no instrument attached, and an unmeasured program is indistinguishable from no program. The vendors who can answer exist. I helped write their book.

For more from this series, see the The Cybersecurity Hub: breaches, audits, and hard-won security lessons from four decades in the trenches.

The Guides That Get Your Book Written, Published, and Sold

Four short, practical guides on writing, publishing, and selling your book, plus the occasional note when there's something worth your time. No fluff, no daily inbox clutter. Drop your email and they're yours.

We use MailerLite to manage our list and send these emails. Your address is used only to send you what you signed up for. We will not sell it, share it, or use it for anything else, and you can unsubscribe anytime.

Frequently Asked Questions

Does security awareness training actually work?
Gamified compliance modules that can be retaken until passed produce records, not behavior change. Simulated-phishing programs work because they measure the real behavior, who clicks, and route clickers back into training.
What is the KnowBe4 training model?
Train users on phishing and safe computing, then test them with unannounced simulated phishing emails in their normal inboxes. Users who click receive additional training, creating a measurable feedback loop.
What is the book Cyberheist?
Cyberheist, by KnowBe4 founder Stu Sjouwerman, covers phishing and the business of cybercrime. I updated it once and later substantially rewrote it for the 2020 edition, credited as contributing author and technical editor alongside Roger A. Grimes.

📁︎ Cybersecurity

🏷︎ Security Awareness🏷︎ Phishing🏷︎ Cybersecurity Ghostwriting🏷︎ KnowBe4

📝 Disclaimer

The views and opinions expressed in this blog post are solely those of Richard Lowe and are based on personal experience and research. This content is for informational purposes only and should not be construed as professional legal, financial, accounting, or business advice. Always consult with qualified professionals before making important business or legal decisions. Richard Lowe is not a lawyer, accountant, or licensed professional advisor, and this content does not establish any professional relationship.