Cybersecurity awareness has traditionally leaned on logic, policies, frameworks, statistics, and step-by-step instructions. And while those things are critical, I’ve learned something over the years: facts alone don’t change behavior. Stories do.
When we tell someone, “Don’t click suspicious links,” we give them a rule. When we show them how someone just like them clicked a link while trying to multitask before a meeting, and what happened next, we give them a moment they’ll remember. That difference matters.
In one of my most effective campaigns, I introduced a character named Reese, a fictional employee inspired by real situations. Reese received a voicemail that sounded like it came from her CEO. She was juggling back-to-back meetings and daycare drop-off when she heard it. It was a deepfake. Week by week, we followed Reese’s story as she unknowingly triggered a response protocol, asked the wrong colleague for a quick favor, and forwarded a document without checking the metadata. These were all things people do.
What made the campaign work was simple: people saw themselves in Reese. They followed her story. They looked forward to the next chapter, not because it was required training, but because it was relatable and real.
The outcome was more than an increase in engagement metrics. People were talking about “what happened to Reese” during team meetings and over coffee. That’s when I knew we had shifted from information to impact.
We can’t expect people to change their behavior from a list of dos and don’ts. But if we show them what risk looks like in context, if we tell stories with real consequences and empathy, we unlock something deeper. People start to internalize the risk, not just memorize the rule.
A story builds memory. And memory drives action.
June 30, 2025
The Problem with One-and-Done Security Training
June 30, 2025
