Most security awareness campaigns drown people in scary facts – then wonder why nothing changes. 

As Dr Adrian Davis succinctly put it at the East Midlands Cyber Summit: “awareness is just knowing stuff”. On its own, awareness is limited because “once you’re aware of something, so what?” 

Knowing an activity is risky is not the same as doing something differently. The human brain can happily file away a statistic about phishing or ransomware without it ever touching what people actually do at their desks the next morning. 

Until we translate those facts into one or two clear actions that feel realistic in the rush of everyday work, awareness will remain a tick-box exercise rather than a defence.

It will produce completed training modules and pass quizzes but produce very little meaningful change in behaviour.

Start with one clear message

When you only have 30 minutes of someone’s year, you can’t waste it on a long list of “don’ts”. Focus instead on a single, practical behaviour you want people to remember  – and build the whole session around that.

Dr Davis asked the summit audience a simple question: “What is the one thing you want people to remember about the cyber security awareness we do?” 

He gave a great example: Every time you stand up, lock your screen. It’s specific, easy to visualise, and can be repeated until it becomes habit rather than a good intention.

Turn awareness into behaviour

Comments such as “it’s really bad out there”, “don’t click on bad links”, “naughty hacker wearing hoodie” achieve little, he told delegates.

Behaviour change means answering the questions users really have: “What do I do about it? How do I do the one thing that makes a difference?” 

Framing security as a simple, job-relevant action – like bringing your tea to the desk, logging in, and locking when you leave – connects the message to daily routines.

Reinforce with rewards, not fear

Too many programmes lean on punishment. If you fail the quiz, you repeat the module; click the wrong answer, you do it again next month. 

Dr Davis tells the story of one contact who failed their school’s awareness programme this year and now has to redo it every month. “That is actually reinforcement, negative reinforcement,” he told the room.  “If you don’t learn, we’re going to punish you.” 

That may drive compliance, but it usually also breeds resentment and creative box-ticking rather than genuine learning. 

Small rewards work far better. Something like a balloon and chocolates on the desk of the top scorer, a name-check in the newsletter, a quiet thank you when someone spots a phishing email before finance pays it. Defined, visible rewards show that good security behaviour is noticed and valued, not just enforced.

Build tiny, simple habits

Security will never be everyone’s main job – and that is fine. As Dr Davis reminds us, for most staff it’s just another thing they have got to do. Therefore, to get people on board you need to make that one thing as small and easy as possible. 

At the end of the summit he said: “I want everybody to press Windows L on [a] Windows box every time they stand up from their desk because that locks their computer.” 

And for leaders? Dr Davis advises them to start with one behaviour, prove it sticks, celebrate the people who adopt it, and then move on to the next.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit 2026. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.