Here’s a curious thing about people, sometimes we crave the familiar, and sometimes we demand the novel.
Go see Metallica live. What do you want? Enter Sandman. Master of Puppets. The songs you know by heart. Play some deep cut from a B-side and watch 50,000 people suddenly become very interested in their phones. But go see your favourite comedian and the contract flips entirely. Tell me a joke I’ve heard before and I’ll ask for my money back.
The difference? We seek familiarity when we want comfort and shared experience. We seek novelty when we want stimulation and new information. What it means is that as humans, we’re actually remarkably consistent about being inconsistent.
Now, look at your security awareness programme.
Most of you are running one of two failing strategies. Either you’re the tribute act – same phishing simulation every quarter, same “lock your screen” poster since 2019, same mandatory annual training that everyone clicks through like a software licence agreement. Or you’re the desperate open-mic comedian – weekly “engaging content,” gamification, escape rooms, VR headsets, interpretive dance workshops about ransomware.
Both approaches assume your audience wants one thing. They don’t. They want both. At different times. In different contexts. For different topics.
Someone new to the organisation? They need the greatest hits. Phishing. Passwords. Physical security. The fundamentals. Play them the repertoire until it becomes muscle memory. But your veteran security-aware staff? They’re standing there waiting for new material and you’re still playing Smoke on the Water.
The real problem isn’t that you’re picking the wrong approach. It’s that you’re picking an approach. Singular. One-size-fits-all. Applied to everyone regardless of their experience, role, or what they actually need right now.
Your metrics reflect this confusion. Engagement tanks because half your audience is bored and half is overwhelmed. Retention suffers because you’re either repeating what they know or introducing what they’re not ready for. You blame “security fatigue” when really it’s just terrible timing.
In your current awareness strategy, everyone gets the same thing because it’s efficient, measurable, and fair. It’s also useless.
Here’s the uncomfortable bit… solving this manually is impossible. You can’t track what hundreds or thousands of employees need at any given moment. You can’t work out who needs repetition versus novelty today versus next week.
But AI can. Real-time behavioural analysis. Adaptive content delivery. Individual learning paths that know when someone needs the comforting familiar and when they’re ready for something new.
Instead of sending the entire company the same annual module, AI can build a personalized channel for each person. New starter in finance? They get the fundamentals, broken into short, repeatable segments. Seasoned engineer who never falls for phishing but keeps misconfiguring cloud storage? Less, “Don’t click links,” and more hands-on cloud security scenarios. A manager who puts confidential information on an unencrypted USB drive? Serve content that focuses on building understanding on how to handle data and best ways to share it securely.
Done well, this provides training that is personalised, relevant, and timely that respects people’s time, attention, and existing knowledge.
The technology exists. The question is whether you’re brave enough to admit that your one-size-fits-all approach isn’t working – and never could.
Are you running a tribute act or an open mic night?
Wrong question. You should be running neither.
