Key takeaways
Knowledge alone doesn’t change security behavior
Lasting security habits are built through practice and repetition
Safe failure creates stronger learning than blame
Organizations invest in security awareness training to help employees make safer decisions. However, programs fall short when they are built on the flawed assumption that people remember what they’ve been taught and will apply it when it matters.
Why? Because behavioral research shows the opposite. Without repetition, learning fades quickly. And when memory fades, risk increases.
That’s why in Nimblr’s webinar Practice Makes Perfect, we explored a simple but powerful idea: lasting security behavior doesn’t come from more information - it comes from practice.
Just like the athletes we see during the Olympics, people don’t become great through one brilliant lesson. They become great through repeated, realistic training - over time.
Cybersecurity is no different.
Knowing the right thing isn’t the same as doing it
A key theme is the difference between knowing and doing.
Knowing is what we can explain when things are calm and there’s time to think. Doing is what happens in the moment, in real work, under pressure.
Behavior is always shaped by context:
time pressure
distractions
habits
competing priorities
what feels normal or expected in the moment
That’s why people can fully understand what is “right” and still do something else at the moment.
Or if we use the analogy: Reading a book about cycling doesn’t teach you how to ride a bike.
You learn by getting on the bike, wobbling, failing a bit, and trying again.
When mistakes happen, it’s tempting to point fingers: “they weren’t careful,” “they weren’t motivated,” “they didn’t pay attention.”
But that’s not really true.
Security decisions aren’t made in calm, controlled environments. They’re made mid-task, mid-meeting, mid-inbox often with interruptions and limited attention.
Most learning fails because it doesn’t line up with how work actually happens.
When attention is limited, the brain doesn’t focus on recalling policies. It focuses on getting through the situation. And in those moments, what guides behavior is:
quick interpretations
habits
cues from the surrounding environment
social expectations
urgency and workload
This is why security failures are rarely about lack of knowledge, they’re about misalignment between rules and reality.
When an accident happens, it’s usually not because the driver doesn’t know driving rules.
Most people know the rules: stop signs, speed limits, right-of-way. But context disrupts behavior: distraction, stress, visibility, pressure.
And social norms matter too.
If all the other cars are driving 5 km/h over the speed limit, you’ll likely do it too, even though you know the rules.
In cybersecurity, the same pattern shows up in the inbox.
When someone clicks a malicious link, it’s often not carelessness. It’s a reasonable action in a situation that wasn’t clear-cut, shaped by urgency, expectations, and incomplete information.
What actually changes behavior?
So, if knowledge isn’t enough, what works?
Behavioral science points to three drivers of lasting behavior change:
Practice - repeated opportunities to act in realistic situations
Repetition over time - spaced reinforcement that keeps knowledge top of mind
Feedback close to the moment of action - timely, contextual guidance
When a behavior is practiced enough times in the right setting, it becomes more automatic and holds up even when people are busy, stressed, or distracted.
This is also why one fabulous annual training session isn’t enough.
Without reinforcement, the brain deprioritizes unused knowledge. It fades even if people “know it.”
(Think of airline safety demonstrations: you’ve seen them a hundred times, yet they repeat them every flight because the moment you need it is high-stakes.)
Why safe failure matters (and why shame backfires)
Learning requires visibility. Mistakes have to be allowed to surface, otherwise they get hidden. And hidden mistakes don’t result in learning. They become shame.
That’s why fear and learning don’t mix. If people worry about blame or consequences, they focus on protecting themselves, not improving. Phishing simulations can be extremely effective, but only when they are used correctly. If they’re used as “gotcha” moments, they backfire.
If they’re used as training data, expected, normal, and blame-free, they become one of the strongest learning tools we have.
The practical takeaway: focus on the situation, not the person.
Ask: What about the email, timing, workload, or context made clicking feel reasonable?
Traditional programs often train “ideal humans”, people who have the time and focus for calm decision-making.
But real work doesn’t look like that.
Nimblr’s platform is designed for real-world behavior:
short, bite-sized learning moments
realistic simulations that reflect real attacks
immediate, contextual feedback after interaction
personalization based on each user’s behavior over time
The goal isn’t better quiz scores. The goal is safer behavior in the moments that matter.
That’s also why Nimblr measures more than right/wrong answers by combining multiple signals into an “awareness level” that helps organizations see real behavioral change over time.
The bottom line: culture and systems win
If the same mistakes keep happening, it often points to something bigger than training.
It can be a signal that the system needs adjustment: workflows, tooling, leadership signals, or culture.
People follow the path of least resistance, especially under pressure. When secure behavior is built into the workflow, it becomes the default.
And leadership matters. What managers praise or punish determines what people repeat. If leaders model “stop, check, think” behavior, it becomes socially accepted and spreads.
In the end, effective security awareness is less about testing what people know and more about shaping what people do:
Less blame. More learning.
Less theory. More practice.
In “Practice Makes Perfect,” Nimblr’s Rikard Zetterberg (Founder & CIO), Martin Karlqvist (Behavior Psychologist), and Aimée Ravaçon (CMO) share practical insights on how repetition, safe-failure simulations, and behavioral science help organizations build lasting security habits.
Link to the webinar on demand: https://nimblrsecurity.com/webinar-on-demand-practise-makes-perfect