[{"data":1,"prerenderedAt":640},["ShallowReactive",2],{"\u002Fnow\u002Fbeyond-memorization":3,"\u002Fnow\u002Fbeyond-memorization-surround":629},{"id":4,"title":5,"api":6,"authors":7,"body":13,"category":617,"date":618,"description":619,"extension":620,"features":6,"fixes":6,"highlight":6,"image":621,"improvements":6,"meta":623,"navigation":624,"path":625,"seo":626,"stem":627,"__hash__":628},"posts\u002F3.now\u002Fbeyond-memorization.md","Beyond Memorization: How episki Supports True Security Awareness Through Behavior Change",null,[8],{"name":9,"to":10,"avatar":11},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":12},"\u002Fimages\u002Fjustinleapline.png",{"type":14,"value":15,"toc":599},"minimark",[16,25,28,31,36,39,45,48,76,85,90,94,97,102,105,110,131,137,141,144,148,159,165,169,172,176,192,197,201,208,212,223,228,232,235,240,280,285,300,304,311,316,342,352,356,359,364,378,383,394,399,410,415,426,431,435,438,443,469,475,479,482,487,525,530,534,537,540,566,573,576,583,586],[17,18,19,20,24],"p",{},"Here's a number that should keep every security leader up at night: ",[21,22,23],"strong",{},"the average data breach costs $5.6 million",", and human error remains the leading factor in over 68% of incidents. Companies pour money into firewalls, endpoint detection, and zero-trust architectures — then watch an employee click a phishing link that bypasses all of it.",[17,26,27],{},"Most security awareness programs don't actually change behavior. They check a compliance box. They generate completion certificates. But they don't build the reflexive, instinctive thinking that stops breaches before they start.",[17,29,30],{},"If your awareness program still looks like a once-a-year quiz followed by a policy acknowledgment, you're not alone. But you're also not protected. Let's talk about what actually works.",[32,33,35],"h2",{"id":34},"why-memorization-falls-short","🧠 Why Memorization Falls Short",[17,37,38],{},"Traditional security awareness training treats employees like storage devices. Load information in, hope it stays accessible when needed. But that's not how human cognition works.",[17,40,41,44],{},[21,42,43],{},"The forgetting curve is brutal."," Research by Hermann Ebbinghaus — and confirmed by modern studies — shows people forget roughly 70% of new information within 24 hours and up to 90% within a week without reinforcement. That annual training your team completed in January? By February, most of it is gone.",[17,46,47],{},"There are deeper problems too:",[49,50,51,58,64,70],"ul",{},[52,53,54,57],"li",{},[21,55,56],{},"Context collapse."," Generic training doesn't map to real workflows. Employees learn abstract rules but can't apply them when a suspicious email actually lands in their inbox.",[52,59,60,63],{},[21,61,62],{},"Compliance theater."," When people know training is just a checkbox, engagement drops. They click through slides as fast as possible. The goal becomes \"finish this\" not \"learn this.\"",[52,65,66,69],{},[21,67,68],{},"One-size-fits-none."," A finance team handling wire transfers faces fundamentally different threats than a developer pushing code. Generic training addresses neither well.",[52,71,72,75],{},[21,73,74],{},"No emotional engagement."," Behavioral science tells us decisions are driven by emotion and habit, not rational recall. Memorizing a policy doesn't create the gut reaction needed to pause before clicking.",[17,77,78,79,84],{},"The result? Even smart, well-meaning team members fall for social engineering, mishandle sensitive data, or skip reporting a near-miss. This challenge gets harder when you're ",[80,81,83],"a",{"href":82},"\u002Fnow\u002Fsecurity-shrinking-resources","working with shrinking resources"," — you can't afford awareness programs that don't deliver.",[17,86,87],{},[21,88,89],{},"Memorization doesn't build instinct. Behavior change does.",[32,91,93],{"id":92},"what-real-security-awareness-looks-like","🎯 What Real Security Awareness Looks Like",[17,95,96],{},"Effective awareness isn't a training event. It's an ongoing system that shapes how people think and act. Four principles separate programs that work from programs that just exist.",[98,99,101],"h3",{"id":100},"_1-contextual-not-generic","1. Contextual, Not Generic",[17,103,104],{},"Different roles face different threats. A software engineer needs to understand dependency confusion attacks. An HR specialist needs to recognize pretexting. A finance team member needs to spot invoice fraud and business email compromise.",[17,106,107],{},[21,108,109],{},"Implementation examples:",[49,111,112,115,128],{},[52,113,114],{},"Map your top 5 threat scenarios to each department as the foundation for role-specific content.",[52,116,117,118,122,123,127],{},"Include real industry examples — a ",[80,119,121],{"href":120},"\u002Findustry\u002Fhealthcare","healthcare"," company should train on ",[80,124,126],{"href":125},"\u002Fframeworks\u002Fhipaa","HIPAA","-specific phishing lures, not generic \"Nigerian prince\" scenarios.",[52,129,130],{},"Update quarterly based on actual incident data and threat intelligence.",[17,132,133,136],{},[21,134,135],{},"Practical tip:"," Start small. Pick your three highest-risk roles and build tailored content for those first. Trying to customize for every role on day one leads to paralysis.",[98,138,140],{"id":139},"_2-embedded-in-the-workflow","2. Embedded in the Workflow",[17,142,143],{},"Security awareness that lives in a separate platform, accessed once a year, is dead on arrival. The best programs meet people where they already work.",[17,145,146],{},[21,147,109],{},[49,149,150,153,156],{},[52,151,152],{},"Deliver micro-lessons through Slack, Teams, or email — 2-minute scenarios during the workweek, not in a separate LMS.",[52,154,155],{},"Trigger contextual reminders at decision points: sharing files externally, onboarding a vendor, or reviewing access.",[52,157,158],{},"Integrate awareness checkpoints into onboarding, quarterly reviews, and project kickoffs.",[17,160,161,164],{},[21,162,163],{},"Metrics to track:"," Engagement rates on embedded content vs. standalone modules. Expect 3-5x higher completion when training is woven into existing workflows.",[98,166,168],{"id":167},"_3-scenario-driven","3. Scenario-Driven",[17,170,171],{},"People learn best when they can see themselves in the situation. Abstract rules like \"don't click suspicious links\" are useless without a mental model of what \"suspicious\" actually looks like.",[17,173,174],{},[21,175,109],{},[49,177,178,186,189],{},[52,179,180,181,185],{},"Build training around real-world examples: phishing emails mimicking your actual vendors, suspicious access requests, ",[80,182,184],{"href":183},"\u002Fnow\u002Fvendor-risk-management","vendor decisions that carry hidden risk",".",[52,187,188],{},"Use branching scenarios where employees make choices and see consequences. \"You received this email — what do you do?\"",[52,190,191],{},"Rotate scenarios monthly so content stays fresh and employees can't memorize the \"right\" answers.",[17,193,194,196],{},[21,195,135],{}," Pull scenarios from your own incident history (anonymized). Nothing resonates like \"this actually happened here.\"",[98,198,200],{"id":199},"_4-reinforced-regularly","4. Reinforced Regularly",[17,202,203,204,207],{},"Annual training creates a spike in awareness followed by 11 months of decay. ",[21,205,206],{},"Spaced repetition"," — short, frequent touchpoints spread over time — dramatically improves long-term retention.",[17,209,210],{},[21,211,109],{},[49,213,214,217,220],{},[52,215,216],{},"Replace one 60-minute annual session with twelve 5-minute monthly touchpoints. Same total time, vastly better retention.",[52,218,219],{},"Mix formats: quick quizzes one month, a simulated phishing exercise the next, a short video scenario after that.",[52,221,222],{},"Celebrate wins publicly. When someone reports a real phishing attempt, recognize it. Positive reinforcement builds culture faster than punishment.",[17,224,225,227],{},[21,226,163],{}," Compare phishing click rates month-over-month. Programs using spaced repetition typically see a 40-60% reduction within six months.",[32,229,231],{"id":230},"phishing-simulation-best-practices","🎣 Phishing Simulation Best Practices",[17,233,234],{},"Phishing simulations are one of the most powerful awareness tools — but also one of the most misused. Done poorly, they breed resentment. Done well, they build genuine instincts.",[17,236,237],{},[21,238,239],{},"Do this:",[49,241,242,248,254,260,274],{},[52,243,244,247],{},[21,245,246],{},"Start with a baseline."," Run an initial simulation before training so you have honest data to measure against.",[52,249,250,253],{},[21,251,252],{},"Escalate difficulty gradually."," Begin with obvious indicators (misspelled domains, generic greetings), then progress to targeted spear-phishing mimicking real vendor communications.",[52,255,256,259],{},[21,257,258],{},"Make reporting easy."," One click, clearly visible, every email client. If reporting requires three clicks, you're adding friction to the behavior you want.",[52,261,262,265,266,270,271,185],{},[21,263,264],{},"Provide immediate feedback."," Clicked a simulated phish? Show them what they missed ",[267,268,269],"em",{},"right then",". Reported it? Congratulate them ",[267,272,273],{},"instantly",[52,275,276,279],{},[21,277,278],{},"Vary the attack vectors."," Include smishing (SMS), vishing (voice), and QR code attacks alongside email phishing.",[17,281,282],{},[21,283,284],{},"Don't do this:",[49,286,287,294,297],{},[52,288,289,290,293],{},"Don't \"gotcha\" employees publicly. Shaming destroys psychological safety and makes people ",[267,291,292],{},"less"," likely to report real incidents.",[52,295,296],{},"Don't run simulations during high-stress periods (end of quarter, major launches).",[52,298,299],{},"Don't use simulations as punishment. The goal is learning.",[32,301,303],{"id":302},"building-a-security-champions-program","🏆 Building a Security Champions Program",[17,305,306,307,310],{},"One of the highest-leverage moves you can make is building a network of ",[21,308,309],{},"security champions"," — employees across departments who serve as local security advocates.",[17,312,313],{},[21,314,315],{},"How to structure it:",[49,317,318,324,330,336],{},[52,319,320,323],{},[21,321,322],{},"Recruit volunteers, don't conscript."," Look for people who already show interest in security or naturally ask good questions during training.",[52,325,326,329],{},[21,327,328],{},"Invest in their growth."," Give champions deeper training, threat briefings, and direct access to the security team. Make it feel like a privilege.",[52,331,332,335],{},[21,333,334],{},"Define clear responsibilities."," Lead monthly security discussions, serve as first responders for security questions, or help test new awareness content.",[52,337,338,341],{},[21,339,340],{},"Recognize and reward."," Dedicated Slack channel, quarterly recognition, or professional development budget — make sure champions feel valued.",[17,343,344,347,348,185],{},[21,345,346],{},"Why it works:"," A developer telling another developer \"hey, I almost fell for this phishing email last week\" is more impactful than any formal training module. Champions extend your reach without extending your headcount — critical when you're ",[80,349,351],{"href":350},"\u002Fnow\u002Fgrc-guide-growing-companies","building a GRC program with limited resources",[32,353,355],{"id":354},"role-based-training-programs","👥 Role-Based Training Programs",[17,357,358],{},"Generic training is the enemy of effective awareness. Here's what focused, role-specific programs look like:",[17,360,361],{},[21,362,363],{},"Engineering teams:",[49,365,366,369,372,375],{},[52,367,368],{},"Secure coding practices and vulnerability patterns (OWASP Top 10)",[52,370,371],{},"Secrets management — never hardcoding API keys, using vaults properly",[52,373,374],{},"Supply chain security — verifying dependencies, recognizing dependency confusion",[52,376,377],{},"Incident response for production systems — what to escalate and when",[17,379,380],{},[21,381,382],{},"HR and people operations:",[49,384,385,388,391],{},[52,386,387],{},"Social engineering and pretexting attacks targeting employee data",[52,389,390],{},"Safe handling of PII during hiring, onboarding, and offboarding",[52,392,393],{},"Verifying identity during sensitive requests (payroll changes, employment verification)",[17,395,396],{},[21,397,398],{},"Finance and accounting:",[49,400,401,404,407],{},[52,402,403],{},"Business email compromise (BEC) red flags — urgent wire transfers, last-minute account changes",[52,405,406],{},"Invoice fraud detection — verifying vendor banking details out-of-band",[52,408,409],{},"Proper authorization chains for financial transactions",[17,411,412],{},[21,413,414],{},"Executives and leadership:",[49,416,417,420,423],{},[52,418,419],{},"Whale phishing (targeted attacks on senior leaders)",[52,421,422],{},"Safe communication practices for sensitive strategic information",[52,424,425],{},"Their role in setting security culture from the top",[17,427,428,430],{},[21,429,135],{}," Don't build all of these at once. Start with whichever role has the highest incident rate or handles the most sensitive data. Build one well, measure impact, then expand.",[32,432,434],{"id":433},"incident-response-as-training","🔥 Incident Response as Training",[17,436,437],{},"Every security incident — even a near-miss — is a learning opportunity. The strongest security cultures treat incidents as teaching moments, not just firefighting exercises.",[17,439,440],{},[21,441,442],{},"How to turn incidents into awareness:",[49,444,445,451,457,463],{},[52,446,447,450],{},[21,448,449],{},"Blameless post-mortems."," Run retrospectives focused on systems and processes, not individual blame. Share findings broadly.",[52,452,453,456],{},[21,454,455],{},"\"Lessons learned\" micro-briefings."," Turn real incidents into 3-minute briefings. \"Last week, a team member received an email that looked like...\" is infinitely more engaging than hypotheticals.",[52,458,459,462],{},[21,460,461],{},"Near-miss reporting culture."," Encourage reporting suspicious activity even when nothing bad happened. Each near-miss reinforces the behavior you want.",[52,464,465,468],{},[21,466,467],{},"Tabletop exercises."," Quarterly walkthroughs of realistic scenarios help teams practice before a real event.",[17,470,471,474],{},[21,472,473],{},"The key insight:"," People remember stories. They forget policies. An anonymized account of a real incident at your company will stick far longer than a bullet point in a security handbook.",[32,476,478],{"id":477},"measuring-effectiveness","📊 Measuring Effectiveness",[17,480,481],{},"You can't improve what you don't measure. But most organizations track the wrong things — completion rates and quiz scores tell you about compliance, not capability.",[17,483,484],{},[21,485,486],{},"Metrics that actually matter:",[49,488,489,495,501,507,513,519],{},[52,490,491,494],{},[21,492,493],{},"Phishing simulation click rate (trend over time)."," The absolute number matters less than the direction. Are fewer people clicking month over month?",[52,496,497,500],{},[21,498,499],{},"Reporting rate."," What percentage of simulated phishing emails get reported? Arguably more important than click rate — you want people to report, not just avoid.",[52,502,503,506],{},[21,504,505],{},"Mean time to report."," How quickly do employees flag suspicious activity? Faster reporting means faster response.",[52,508,509,512],{},[21,510,511],{},"Incident frequency by category."," Are human-error incidents decreasing in the areas you've focused training on?",[52,514,515,518],{},[21,516,517],{},"Security question volume."," More employees asking \"is this legit?\" is a positive signal — people are thinking before acting.",[52,520,521,524],{},[21,522,523],{},"Champion program engagement."," Are your security champions active and driving conversations?",[17,526,527,529],{},[21,528,135],{}," Build a simple dashboard tracking these monthly. When you can show your awareness program reduced phishing click rates by 50% over six months, you'll never have trouble justifying the investment.",[32,531,533],{"id":532},"️-how-episki-supports-behavioral-change","🛠️ How episki Supports Behavioral Change",[17,535,536],{},"Implementing all of this manually — role-based content, spaced repetition, engagement tracking across departments — is a massive operational lift. That's where episki makes a real difference.",[17,538,539],{},"With episki, you can:",[49,541,542,548,554,560],{},[52,543,544,547],{},[21,545,546],{},"Automate training touchpoints"," with scheduling that follows spaced repetition principles",[52,549,550,553],{},[21,551,552],{},"Track completion and engagement by role or team"," to identify gaps and demonstrate progress",[52,555,556,559],{},[21,557,558],{},"Align awareness content with compliance goals"," so training serves double duty — building culture and satisfying auditors",[52,561,562,565],{},[21,563,564],{},"Embed security check-ins during onboarding, policy rollout, or incident reviews"," so awareness is woven into workflows, not bolted on as an afterthought",[17,567,568,569,572],{},"episki makes it practical to ",[21,570,571],{},"turn awareness into culture"," — and culture into protection.",[574,575],"hr",{},[17,577,578,579,582],{},"Security awareness isn't about who memorizes the most rules. It's about building a team that ",[267,580,581],{},"acts"," securely — instinctively — because they understand the \"why\" behind the \"what.\"",[17,584,585],{},"If your program is still built around annual training and completion certificates, it's time to evolve. The threats are getting smarter. Your awareness program should be too.",[17,587,588,591,592,598],{},[21,589,590],{},"Ready to build behavior-based security awareness?"," ",[80,593,597],{"href":594,"rel":595},"https:\u002F\u002Fepiski.app",[596],"nofollow","Start with episki"," and turn compliance checkboxes into genuine security culture.",{"title":600,"searchDepth":601,"depth":601,"links":602},"",2,[603,604,611,612,613,614,615,616],{"id":34,"depth":601,"text":35},{"id":92,"depth":601,"text":93,"children":605},[606,608,609,610],{"id":100,"depth":607,"text":101},3,{"id":139,"depth":607,"text":140},{"id":167,"depth":607,"text":168},{"id":199,"depth":607,"text":200},{"id":230,"depth":601,"text":231},{"id":302,"depth":601,"text":303},{"id":354,"depth":601,"text":355},{"id":433,"depth":601,"text":434},{"id":477,"depth":601,"text":478},{"id":532,"depth":601,"text":533},"news","2026-01-09","Why quizzes and policy read-throughs fall short, and how episki helps teams build real security instincts through contextual, scenario-driven awareness.","md",{"src":622},"\u002Fimages\u002Fblog\u002Ftech.jpg",{},true,"\u002Fnow\u002Fbeyond-memorization",{"title":5,"description":619},"3.now\u002Fbeyond-memorization","9VEGfToP-75shcDMrWCdGCU6AB7y0O7Wtsnroy04xsU",[630,635],{"title":631,"path":632,"stem":633,"description":634,"children":-1},"Best SOC 2 Compliance Tools & Software (2026)","\u002Fnow\u002Fbest-soc2-compliance-tools","3.now\u002Fbest-soc2-compliance-tools","The best SOC 2 compliance tools and software in 2026 — compared on pricing, automation, auditor familiarity, and fit for startups through enterprise.",{"title":636,"path":637,"stem":638,"description":639,"children":-1},"How to Build a GRC Team: Roles, Skills, and Hiring Order","\u002Fnow\u002Fbuilding-a-grc-team","3.now\u002Fbuilding-a-grc-team","When to make your first GRC hire, what skills to prioritize, how to scale from one person to a team, and when outsourcing makes more sense than hiring.",1778494715208]