How a multi-model approach builds lasting security culture
Author: Melonie Cole | Founder and CEO, Mindshift
Cyber security awareness programmes are most effective when they target behaviour change, not just knowledge transfer.
A programme designed around content delivers information. One designed around specific organisational risk delivers better cyber habit adoption.
The starting point is not which platform to use or which training format to deploy. It is understanding the specific behaviours creating risk in your organisation and designing everything around those.
Know your risks before you design your programme
Every organisation faces a different risk profile. The behaviours creating the most exposure in a financial services organisation may not be the same as those in healthcare or logistics.
Preventing phishing clicks, securing sensitive data, managing access credentials - these are common examples. But which represents the greatest risk in your organisation specifically? That question is worth answering before a single piece of content is created.
The most effective programmes start by identifying the top few behaviours that carry the highest risk. Those become the anchor. What you deliver, how you deliver it, and how you measure whether it is working.
Knowing your riskiest behaviours is what turns a generic awareness programme into a targeted one.
Measuring behaviour change is not simple. But it is more achievable than most organisations assume. Your security operations team and helpdesk hold more useful data than is often recognised. Incident reports, ticketing summaries and monitoring data give you a baseline picture of where risk currently sits.
That baseline is what tells you, over time, whether the programme is shifting behaviour or just generating completion records. Start with one or two known risky behaviours. Find the evidence. Use that as your measure of success.
Why one format is never enough
When you know your risky behaviours, have a good sense of how you’re going to measure improvement, it’s time to think about delivery methods.
A multi-modal approach ensures broader reach and deeper impact.
Once you know what behaviours you are targeting, the question is how to reach people effectively.
Different people process information differently. Some absorb structured content well. Others need conversation to make it stick. Some need a realistic scenario before a risk feels genuinely relevant. No single format reaches everyone.
A multi-modal approach addresses this. It combines delivery formats, each serving a distinct purpose, each reinforcing the others.
-
Scalable, consistent and ideal for building foundational knowledge across the organisation.
Reinforces: face-to-face sessions and awareness campaigns -
Personal, flexible and effective for diverse learning styles. Creates space for conversation.
Reinforces: eLearning concepts through discussion and practice. -
Tests real responses to real threat scenarios. Highlights where gaps exist and reinforces vigilance.
Reinforces: eLearning by surfacing real behaviour gaps to address. -
Campaigns and nudges that keep security visible at the moments people need it most.
Reinforces: all modes by keeping messages active between training events.
The real value of a multi-modal approach is in how the modes work together. A phishing simulation reveals where real behaviour falls short. eLearning addresses the knowledge gap. Face-to-face sessions create space for questions and conversation. Awareness campaigns maintain visibility between formal training events. Each one reinforces the others, and the cumulative effect is a programme that builds genuine resilience rather than periodic awareness.
Continuity is what makes it work
Twelve months is a long time in cyber security. Threats evolve. People join and leave. Organisations transform with the use of new technology. The behaviours that carried the most risk at the start of the year may look different by the end of it. A programme that adapts continuously to those changes is fundamentally more resilient than one built around an annual training cycle.
This does not require a large budget. It requires clarity about outcomes, creativity in delivery and a consistent operating rhythm. Organisations working with limited resources can still run effective multi-modal programmes. The discipline is in the consistency, not the scale.
Consistency over time builds the security culture that a single training event never can.
A note on AI and personalisation
Generative AI is already changing how awareness content is created and delivered. Programmes can now generate more content, faster, and tailor it to different audience segments at scale.
That is genuinely useful. But it does not resolve the fundamental challenge.
The most effective cyber security training is contextually relevant, built around how a specific organisation works and human cyber risks. AI can accelerate production but it doesn’t replace the judgment required to design a programme that fits an organisation specifically.
The organisations that will benefit most from AI in this space are the ones that already have a clear strategic foundation. They will use it to do more of what works. Those without that foundation risk producing more content that misses the mark, faster.
Mindshift designs multi-modal awareness programmes built around your organisation's specific risk profile. If you are thinking about how to strengthen your approach, we would welcome a conversation.
