There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour believable.

4140 Parker Ave, St. Louis, MO 63116

(207) 555-0119

      Login
      Book a demo

      Practice Makes Perfect: Why security awareness training must move beyond knowledge

      Effective security habits come from practice, not just knowledge.

      Shortcuts:

      Key takeaways

      • Knowledge alone doesn’t change security behavior

      • Lasting security habits are built through practice and repetition

      • Safe failure creates stronger learning than blame

      Organizations invest in security awareness training to help employees make safer decisions. However, programs fall short when they are built on the flawed assumption that people remember what they’ve been taught and will apply it when it matters. 

      Why? Because behavioral research shows the opposite. Without repetition, learning fades quickly. And when memory fades, risk increases. 

      That’s why in Nimblr’s webinar Practice Makes Perfect, we explored a simple but powerful idea: lasting security behavior doesn’t come from more information - it comes from practice. 

      Just like the athletes we see during the Olympics, people don’t become great through one brilliant lesson. They become great through repeated, realistic training - over time. 

      Cybersecurity is no different

      Knowing the right thing isn’t the same as doing it 

      A key theme is the difference between knowing and doing

      Knowing is what we can explain when things are calm and there’s time to think. Doing is what happens in the moment, in real work, under pressure. 

      Behavior is always shaped by context: 

      • time pressure

      • distractions

      • habits

      • competing priorities

      • what feels normal or expected in the moment 

      That’s why people can fully understand what is “right” and still do something else at the moment

      Or if we use the analogy: Reading a book about cycling doesn’t teach you how to ride a bike. 

      You learn by getting on the bike, wobbling, failing a bit, and trying again. 

      Why learning fails

      Why learning often fails at work 

      When mistakes happen, it’s tempting to point fingers: “they weren’t careful,” “they weren’t motivated,” “they didn’t pay attention.”

      But that’s not really true. 

      Security decisions aren’t made in calm, controlled environments. They’re made mid-task, mid-meeting, mid-inbox often with interruptions and limited attention. 

      Most learning fails because it doesn’t line up with how work actually happens. 

      When attention is limited, the brain doesn’t focus on recalling policies. It focuses on getting through the situation. And in those moments, what guides behavior is: 

      • quick interpretations

      • habits

      • cues from the surrounding environment

      • social expectations

      • urgency and workload 

      This is why security failures are rarely about lack of knowledge, they’re about misalignment between rules and reality. 

       The driving analogy

      The driving analogy: context beats policy 

      When an accident happens, it’s usually not because the driver doesn’t know driving rules. 

      Most people know the rules: stop signs, speed limits, right-of-way. But context disrupts behavior: distraction, stress, visibility, pressure. 

      And social norms matter too. 

      If all the other cars are driving 5 km/h over the speed limit, you’ll likely do it too, even though you know the rules. 

      In cybersecurity, the same pattern shows up in the inbox. 

      When someone clicks a malicious link, it’s often not carelessness. It’s a reasonable action in a situation that wasn’t clear-cut, shaped by urgency, expectations, and incomplete information. 

      What actually changes behavior? 

      So, if knowledge isn’t enough, what works?

      Behavioral science points to three drivers of lasting behavior change: 

      • Practice - repeated opportunities to act in realistic situations

      • Repetition over time - spaced reinforcement that keeps knowledge top of mind

      • Feedback close to the moment of action - timely, contextual guidance 

      When a behavior is practiced enough times in the right setting, it becomes more automatic and holds up even when people are busy, stressed, or distracted. 

      This is also why one fabulous annual training session isn’t enough. 

      Without reinforcement, the brain deprioritizes unused knowledge. It fades even if people “know it.” 

      (Think of airline safety demonstrations: you’ve seen them a hundred times, yet they repeat them every flight because the moment you need it is high-stakes.) 

      Why safe failure matters (and why shame backfires) 

      One of the most important parts is psychological safety. 

      Learning requires visibility. Mistakes have to be allowed to surface, otherwise they get hidden. And hidden mistakes don’t result in learning. They become shame. 

      That’s why fear and learning don’t mix. If people worry about blame or consequences, they focus on protecting themselves, not improving. Phishing simulations can be extremely effective, but only when they are used correctly. If they’re used as “gotcha” moments, they backfire. 

      If they’re used as training data, expected, normal, and blame-free, they become one of the strongest learning tools we have. 

      The practical takeaway: focus on the situation, not the person. 

      Ask: What about the email, timing, workload, or context made clicking feel reasonable? 

      Designing security awareness training

      Designing security awareness for real humans 

      Traditional programs often train “ideal humans”, people who have the time and focus for calm decision-making. 

      But real work doesn’t look like that. 

      Nimblr’s platform is designed for real-world behavior: 

      • short, bite-sized learning moments

      • realistic simulations that reflect real attacks

      • immediate, contextual feedback after interaction

      • personalization based on each user’s behavior over time 

      The goal isn’t better quiz scores. The goal is safer behavior in the moments that matter.

      That’s also why Nimblr measures more than right/wrong answers by combining multiple signals into an “awareness level” that helps organizations see real behavioral change over time.  

      The bottom line: culture and systems win 

      If the same mistakes keep happening, it often points to something bigger than training. 

      It can be a signal that the system needs adjustment: workflows, tooling, leadership signals, or culture. 

      People follow the path of least resistance, especially under pressure. When secure behavior is built into the workflow, it becomes the default. 

      And leadership matters. What managers praise or punish determines what people repeat. If leaders model “stop, check, think” behavior, it becomes socially accepted and spreads. 

      In the end, effective security awareness is less about testing what people know and more about shaping what people do: 

      Less blame. More learning. 

      Less theory. More practice. 

      Want to Watch the Full Webinar? 

      In “Practice Makes Perfect,” Nimblr’s Rikard Zetterberg (Founder & CIO), Martin Karlqvist (Behavior Psychologist), and Aimée Ravaçon (CMO) share practical insights on how repetition, safe-failure simulations, and behavioral science help organizations build lasting security habits. 

      Link to the webinar on demand: https://nimblrsecurity.com/webinar-on-demand-practise-makes-perfect

       
      Security Awareness,
      Author
      Nimblr Security Awareness
      Nimblr Security Awareness
      The Nimblr team is made up of people who are passionate about cyber security, developing training for real people, and tracking behavioral change.
      Get a personalized demo session at your convenience. Book a demo and let one of our experts walk you through Nimblr solution, the platform, and how quickly you can get started.

      Find us

      ‍Nimblr AB‍
      Monbijougatan 17C
      211 53 Malmö
      Sweden

      Nimblr Denmark
      Hirsemarken
      3520 Farum
      Denmark

      Nimblr Finland
      Erottajankatu 2
      00120 Helsinki
      Finland

      Nimblr Norway
      Edvard Storms gate 2
      0166 Oslo
      Norway

      Southern Europe
      Rua Febo Moniz 27B
      1150-152 Lisboa
      Portugal

      Nimblr Vietnam
      36 P. Hoàng Cầu
      Đống Đa
      Vietnam

      © 2026 Nimblr AB

      Cloud-based IT security training for businesses and organizations. Intuitive solutions based on accumulated knowledge from the IT industry, e-learning, pedagogy and web development.