The annual security awareness video is one of the most widely deployed and least effective security controls. Staff click through it, tick the box, and forget it within a week. Auditors accept it as evidence. Breach reports routinely identify "user error" as the root cause. The gap between what compliance accepts and what actually reduces risk is rarely wider than in awareness training.

Here is what effective awareness training looks like, and why most organisations get it wrong.

Why the annual video fails

One-size-fits-all content assumes all staff face the same risks. They do not. Finance teams face invoice fraud. Developers face credential leakage. Executives face whaling and deepfake calls. A single generic module addresses none of these meaningfully.

Passive consumption produces passive knowledge. Watching a video is not practice. The learner is not asked to recognise a real phishing email, decide what to do with a USB stick found in the parking lot, or respond to a call claiming to be the CEO. Behaviour is not trained.

The goal of awareness training is not information transfer. It is behaviour change under time pressure, when someone is tired, and when the attack looks legitimate.

What actually works

Role-based content. Finance, developers, executives, and customer support each get training on the specific attack patterns targeting their function. Generic content is supplementary, not primary.

Short, frequent touchpoints. Ten minutes a quarter, triggered by real events or simulations, outperforms forty-five minutes once a year.

Simulated phishing that escalates. The first simulation is easy. The second is harder. By the fourth, the simulations mirror actual attacker sophistication, including spear-phishing and business email compromise patterns.

Post-click training, not punishment. Someone who clicks a simulated phishing link gets a short, targeted micro-lesson on what they missed. They do not get a lecture in front of their manager.

Measured outcomes. Click rates, report rates, time-to-report. Not completion percentages.

What to tell your auditor

ISO 27001 Annex A 6.3 requires information security awareness. It does not specify a video. Evidence that your programme is role-based, refreshed quarterly, measured on outcomes, and reviewed annually satisfies the control — and satisfies it more credibly than a 100% completion report on a generic module that nobody retained.