Reading time: 6 minutes
Cybersecurity awareness: how to train non-technical employees without losing them
The problem with cybersecurity training is almost never the content. It is the format: two hours of slides packed with technical jargon that nobody understands and everyone forgets before they close their laptop.
In 2025, Spain's national cybersecurity agency INCIBE managed 122,223 cybersecurity incidents — a 26% increase on the previous year.¹ Phishing led online fraud with over 25,000 cases. And yet, 64% of Spanish executives still believe their employees lack the basic knowledge to recognise a threat.²
Most companies have a cybersecurity training programme. The problem is that programme usually means a forty-minute video, a corporate presentation, or an annual test nobody remembers taking. It is not that employees do not want to learn. It is that the format does not work.
This article explains why cybersecurity training fails for non-technical profiles and what to change so it actually does its job.
When cybersecurity training fails, the most common cause is not that the subject is difficult. It is that the training was not designed for the person receiving it.
30% of employees cite boredom as the main barrier to completing security training.³ Another 22% say the content is too technical and they lose the thread quickly. That has direct consequences: an employee who does not understand the training does not change their behaviour, even if they completed the module and signed the acknowledgement form.
The most common mistake is designing training for the IT team, not for the employee receiving it. A production manager, a sales rep, or someone in customer service does not need to know what a brute-force attack is. They need to know how to spot a phishing email pretending to come from their bank, from HR, or from the software vendor they use every day.
The good news: when training is properly designed, the risk reduction is significant. Continuous cybersecurity training can reduce employee-caused incidents by up to 72%.³
The goal is not to turn everyone into a security expert. It is to make sure each person can recognise the threats they will actually encounter at work. These are the four most common in corporate environments:
Phishing remains the most widely used entry vector. Employees need to recognise specific signals: a sender address that does not exactly match the real domain, artificial urgency ("your account will be blocked in 24 hours"), a link that leads to a different URL than the one visible in the text.
The key is not to explain the concept in the abstract. It is to show real examples using the types of emails that circulate in that specific industry.
An attacker calling and posing as technical support. A WhatsApp message from "the CEO" asking for an urgent transfer. An SMS with a parcel tracking link. These attacks require no technical knowledge to fall for — and no technical knowledge to learn to spot, either.
Reusing passwords between personal and corporate email. Using short, easy-to-guess passwords. Sharing credentials with colleagues "to make things easier". These are very common behaviours and very easy to correct — if training presents them as real situations rather than abstract rules.
Connecting to the hotel wifi to check corporate email. Using a personal laptop to access work tools. Leaving a session open on a shared computer. Each of these behaviours opens a door that no security policy can close if the employee does not know it exists.
Knowing what to teach is half the job. The other half is how to do it. These are the principles that make the difference between training that gets completed and forgotten, and training that changes behaviour:
Short modules instead of marathon sessions. A person can stay focused on a five-to-eight-minute module. Not on a forty-minute one. Breaking training into small units — each focused on a single type of threat — improves retention and makes periodic repetition easier.
Scenarios from the actual job, not generic examples. A phishing attack that simulates an HR email with a link to update banking details connects far more with an employee's reality than a generic "malicious email" example. The more recognisable the scenario, the more likely the learning transfers to real behaviour.
Simulations with immediate feedback. Simulated phishing campaigns work precisely because the employee receives feedback at the exact moment they make the mistake. Nothing is more effective than clicking a fake link and immediately receiving an explanation of why it was a trap and how to spot it next time.
Video format for reference content. The explanation of each threat type works better in video than in text — not because video is inherently superior, but because a short module with a presenter showing real examples on screen is easier to consume, more memorable, and easier to distribute to dispersed teams or staff on rotating shifts. AI-powered training platforms let you update that content when threats evolve without having to re-produce the entire video, which solves one of the core problems of cybersecurity training: content that ages fast.
Three practical indicators to measure impact:
Signing the security policy does not make anyone ready to recognise an attack. Cybersecurity awareness works when it is treated as real training: short modules, relevant examples, periodic simulations, and a format people can actually consume.
The technical challenge of designing that content is no longer the bottleneck. If you want to understand which tools exist to produce and distribute this type of training at scale, you can read our guide to AI corporate training platforms.
Annual training is not enough — threats evolve faster than training cycles. 58% of companies in Spain run awareness campaigns on a quarterly basis.² A reasonable model for most organisations combines an introductory module at onboarding, quarterly five-to-ten-minute refreshers, and a simulated phishing campaign every two to three months.
Cybersecurity training for technical profiles covers concepts like network architecture, vulnerability management, or forensic analysis. Awareness for non-technical employees focuses on behaviour: recognising threats, knowing how to react, and understanding why those reactions matter. They are different objectives and require different content.
It depends on the sector and company size. The NIS2 Directive, transposed into Spanish law, requires essential and important operators to adopt risk management measures that include staff training. Beyond specific legal obligations, Spain's data protection agency (AEPD) recommends periodic cybersecurity training as part of GDPR compliance measures. Consult your legal advisor for the specific requirements that apply to your organisation.
Do not apply negative consequences. The simulation is a learning tool, not an audit. The highest-impact training moment is right after the mistake: the employee should immediately receive an explanation of what signals they should have seen and how to react if it happens again. Platforms that integrate this real-time feedback have significantly higher retention rates than programmes that only measure click rates.
¹ INCIBE detected more than 122,000 cybersecurity incidents in 2025 - INCIBE ² Security: What training do Spanish employees have? - Computing.es ³ Security Awareness Training Statistics 2026 - Keepnet Labs
@ 2026 Vidext Inc.
Newsletter
Discover all news and updates from Vidext
@ 2026 Vidext Inc.
