This blog post was created based on episode 253 of the Exploring Information Security podcast. Gemini created the first draft and a human edited it for publication.
Every October, the cybersecurity community rallies for Cybersecurity Awareness Month—a concentrated effort to bring security behaviors to the forefront of the corporate mind. But as any practitioner knows, getting thousands of employees to care about passwords and phishing is as much an art as it is a science.
In a recent episode of the Exploring Information Security podcast, I sat down with security awareness experts Maeve Mueller to discuss the logistics, the experiments, and the "human risk" of modern awareness programs. While Cybersecurity Awareness Month has already based it’s never too early to start thinking about next year.
Beyond the PowerPoint: Creative Engagement
The consensus is clear: "death by PowerPoint" is the fastest way to lose an audience. Instead, practitioners should turn to gamification and high-impact demonstrations to make lessons stick.
Mythbusters & Live Cracking: Mueller’s team found success with a "Cybersecurity Mythbusters" presentation, where they disproved common misconceptions and used live password-cracking demonstrations to show how quickly a weak password can be compromised in a real data breach.
"Pitch a Phish" Contests: Rather than just being the targets, employees at Mueller's organization were invited to create their own phishing emails to dupe a fictional persona named "Mimi Click". This role reversal turned the tables and encouraged participation by letting teammates "phish" the security team.
Watch and Win: De Block experimented with a marathon-style "Watch and Win" contest, offering prizes to anyone who completed over nine hours of popular security training modules. Despite the length, over 500 employees finished the entire series.
The Logistics of "Food and Swag"
While digital events are scalable, in-person events remain a priority for leadership. However, these come with significant "hidden" time costs in planning and cleanup.
Mueller utilized booths in office lobbies, handing out swag like screen cleaning cloths and info cards. To draw the crowd, they used the ultimate motivator: food. While in another country for a security awareness event, she used candy from the US with clever puns, like "Smarties" (because smart people are cyber-secure).
Food is the best way to fill a room. The challenge, however, is the registration gamble—knowing exactly how much food to buy without running out and leaving attendees without food.
The Shift to "Human Risk Management"
The industry is currently seeing a shift in terminology from "security awareness" toward Human Risk Management (HRM).
HRM seeks to use data science and telemetry to look at the "full person"—analyzing how they respond to training, phishing simulations, and real-world incidents to build a more accurate risk profile. While the term is "HR-adjacent," it reflects a deeper need to manage behaviors rather than just providing information.
Final Thoughts: Awareness is a Year-Round Mission
The ultimate goal of October isn't to be a one-off event, but a "launching pad" for year-round security habits. As Mueller pointed out, "October is just one time to bring it to the forefront of your mind, but this is important every single month".
For those with limited resources, the experts recommend starting small. You don't need a daily blog post or a full-blown event schedule to make an impact. Even reaching just one or two teammates and helping them secure their personal lives—which inevitably bleeds into their professional behavior—is a win for the security team.