Security Awareness Training for Employees

Most security incidents at commercial premises involve a human decision at some point in the causal chain. Someone held a door open for a stranger. Someone responded to a pretext call with information they should not have shared. Someone left a laptop unattended in a hotel lobby. Someone did not question an unfamiliar face in a secure area because they did not want to seem rude.

Security technology does not prevent these incidents. Access control systems, CCTV, and alarm monitoring all respond after a failure has occurred. The intervention point is before the failure: a workforce that recognises threat indicators and makes the right decision under social pressure.

This is what security awareness training is designed to produce. Not theoretical knowledge of threats, but the practised behaviour and the social confidence to act on it.

What a Security Awareness Programme Is

A security awareness programme is a structured, ongoing effort to change employee behaviour in ways that reduce security risk. It is not a once-a-year compliance exercise. It is not a set of slides shown during onboarding and never revisited. And it is not the same as cybersecurity training, though the two share significant content and should be integrated where possible.

The SANS Security Awareness Maturity Model (2024) defines five maturity levels, from Level 1 (compliance-focused, minimal behaviour change) to Level 5 (long-term culture change sustained across the organisation). The research consistently shows that organisations below Level 3 – which requires a sustained programme with measurement and management engagement – produce little lasting behaviour change relative to their investment.

A Level 3+ programme has the following characteristics:

Regular content delivery. Monthly micro-content (short, topic-specific modules delivered via e-learning platform, internal communications, or in-person briefings) maintains attention to security topics. Annual refreshers consolidate the learning. Specific scenario simulations (phishing, physical security, social engineering tests) provide applied practice.

Role-specific content. Reception staff are the primary target for social engineering attacks against physical access. Finance and accounts payable staff are the primary target for business email compromise (BEC) and payment diversion fraud. Executive personal assistants are targeted for calendar intelligence that enables physical surveillance of principals. A programme that delivers identical content to all roles misses the specific threat pathways relevant to each.

Measurement. Without measurement, the programme is an expense, not an investment. The measurement framework should include phishing simulation click rates (the most common metric), reporting rates for suspicious incidents, and physical security compliance data from access control systems (tailgating incidents, propped door alarms, unescorted visitor events).

Senior sponsorship. SANS Security Awareness Report 2024 identifies senior leadership sponsorship as the single highest-impact factor in programme effectiveness – more significant than content quality, delivery platform, or delivery frequency. A programme presented as a board-backed priority achieves higher engagement and better behaviour change than one framed as an IT compliance requirement.

Physical Security Content

The physical security component of security awareness training tends to be under-invested relative to the cybersecurity component, despite CPNI research showing that physical security failures are a frequent precursor to digital compromise – not a separate category.

CPNI (Centre for the Protection of National Infrastructure) audit data identifies the following as the most frequent physical security failures at commercial premises:

Tailgating. Allowing an uncredentialled individual through an access-controlled door because it is socially uncomfortable to challenge them. CPNI research identifies tailgating as the source of over 60% of physical access security failures. The training challenge is not information – everyone knows tailgating is wrong – it is giving staff the social confidence and a comfortable script to challenge it without confrontation. The effective intervention: normalise the challenge (“Can I help you? Are you expected?”) and debrief confidently. Role-play scenarios are more effective here than informational content.

Propped doors. A propped door is functionally identical to no access control. Access control data analysis will typically identify habitual propped doors; awareness training converts the data into behaviour change.

Unescorted visitors. A visitor who was signed in at reception and then left to navigate the premises alone is an uncontrolled variable in the security model. Training covers visitor management responsibilities for staff who receive visitors as well as for reception staff.

Screen and document exposure. Visual eavesdropping in open-plan offices, coffee shops, and transport environments. Physical privacy filters and behavioural awareness reduce this risk.

Unattended devices. A laptop left on a desk in an unsecured area, or carried through public environments without a security cable, is a data breach and a physical asset loss combined.

Social Engineering Content

Social engineering – the use of psychological manipulation to extract information or access from individuals who would not grant it if the request were made transparently – is the most effective attack vector against most physical security programmes.

The NCSC (National Cyber Security Centre) Annual Review 2024 documents state-sponsored social engineering campaigns targeting UK commercial organisations. The FBI IC3 report 2023 identifies BEC (business email compromise), which relies on social engineering rather than technical intrusion, as the highest-value single fraud category with $2.9 billion in reported losses. The physical equivalents – pretext calls, impersonation visits, deceptive delivery or service operative access – are less frequently measured but consistently identified in penetration testing engagements.

The content categories that awareness training must address:

Pretexting. Impersonating a credible role (IT support, building maintenance, courier, regulator) to gain physical or information access. The defence is verification: caller ID does not confirm identity; every access request for a sensitive area requires independent verification of identity through a known channel.

Baiting. Leaving physical devices (USB drives, in earlier campaigns) or sending unsolicited credentials in environments where curiosity will drive interaction. The specific baiting concern for physical security is the planted device – an audio recorder or tracking device concealed in a delivered item or left in an accessible area.

Elicitation. Extracting sensitive information through apparently casual conversation – at industry events, in shared workspace environments, in social settings adjacent to work. The training target is awareness that professional information has value and that information elicitation is a structured activity used by competitors and state intelligence services, not only by criminals.

Authority exploitation. Compliance with apparent authority figures who bypass normal procedures (“I’m from the board, just need access to the server room for five minutes”). Training covers the principle that legitimate authority figures do not need procedures bypassed.

Counter-Terrorism Awareness

The CPNI ACT (Action Counters Terrorism) awareness programme provides free training materials for UK organisations, focused on recognising the indicators of hostile reconnaissance – the preparatory activity that precedes most terrorist attacks and many serious criminal incidents. The programme covers: recognising suspicious behaviour (unusual photography of security infrastructure, extended observation of entry points, repeated sightings of the same individual in surveillance positions), what to do when suspicious behaviour is recognised (note details, do not confront, report through the correct channel), and the reporting infrastructure (police 999 for immediate threat, police 101 for non-urgent concerns, or via the employer’s internal security reporting channel).

The ACT programme is directly aligned with the obligations being created by the Terrorism (Protection of Premises) Act 2024 (Martyn’s Law) for qualifying venues, but its content is relevant to any commercial premises.

Delivery Formats

Security awareness content can be delivered through several formats, each with different strengths:

E-learning platforms (KnowBe4, Proofpoint Security Awareness, Mimecast) provide scalable, trackable delivery with built-in phishing simulations and reporting dashboards. They are effective for the cognitive knowledge component but less effective for the behavioural practice component.

In-person scenario training – workshops that use role-play to practise challenging tailgaters, responding to pretext calls, and recognising social engineering – produces better behaviour change for social situations than e-learning. It is more resource-intensive but appropriate for high-risk roles (reception, executive assistants, finance, security staff).

Physical security penetration testing – commissioning a test exercise where a trained professional attempts to gain access to the premises using social engineering and physical deception – produces immediate, visceral awareness of the gap between policy and reality. Many organisations discover that their polished access control infrastructure is penetrated in under 15 minutes. The debrief from a failed penetration test is more impactful than any amount of classroom content.

For the corporate security programme structure that security awareness training should sit within, see our corporate security programme design guide. For the insider threat management framework that awareness training should support, see our insider threat guide.

Source: SANS Institute: Security Awareness Report 2024. CPNI: Physical Security Awareness – Common Failure Modes, 2024. NCSC (UK) Annual Review 2024. FBI Internet Crime Complaint Center (IC3) Annual Report 2023. ASIS International: Physical Security Convergence Working Group Report 2024. ISO/IEC 27001:2022, Annex A.6.3 (Information Security Awareness, Education and Training). NIS2 Directive (EU) 2022/2555, Article 21. CPNI ACT (Action Counters Terrorism) Programme 2024.