Security awareness training is about people. Learn how a Leader in The Gartner Magic Quadrant for Security Awareness CBT delivers the foundation of a people-centric security awareness program.

Employees – the humans in an organization – present a risk to the state of security in your organization. Businesses can battle that human risk with a human fix: a security awareness program that is people-centric and focuses on changing employee behavior and creating a culture of cybersecurity throughout the organization.

“People affect security outcomes more than technology, policies or processes. The market for security awareness computer-based training (CBT) is driven by the recognition that, without perfect cybersecurity protection systems, people play a critical role in an organization’s overall security and risk posture. This role is defined by inherent strengths and weaknesses: people’s ability to learn and their vulnerability to error, exploitation and manipulation. End-user-focused security education and training is a rapidly growing market. Demand is fueled by the needs of security and risk management (SRM) leaders to help influence the behaviors that affect the security of employees, citizens and consumers.”

(Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 18 July 2019)


Gartner has named Terranova Security a Leader in the 2019 Magic Quadrant for Security Awareness computer-based training. We believe this recognition supports the significant work we have done to execute on our vision and demonstrate leadership with the five elements for people-centric security awareness.


Five Elements of People-Centric Security Awareness

In order to change behavior so that employees always act with a security mindset in everything they do, it is important to understand what motivates people and approach security awareness from a “people” perspective and implement a security awareness program that’s people-centric. CISOs and security awareness leaders know this, but they don’t always know where to begin to ensure they are incorporating all the elements in their security awareness program that motivate and educate for long-term behavior

1. High Quality Content

High-quality, relevant content is central to any security awareness program in order to engage users and provide a training program that is fun, resonates and changes behavior. Content created by a team of domain experts and based on a proven pedagogical approach for adult learning tends to help users attain the highest degree of success. Other important considerations for high-quality content include microlearning modules for risk-specific content to help reinforce security awareness behaviors. Recent findings stress the need to adopt modern ways, such as gamification, to transfer new knowledge and information to learners. Gamification in training can improve motivation and engagement. Finally, learning activities designed with what the audience’s roles and responsibilities are within the organization, also make the training more personalized and impactful.

2. Personalized Campaigns

People respond to what they know. The more familiar something is to them, the more they prefer it. By personalizing multiple components of a security awareness program – from brand to content– the probability that employees will fully engage in the program will dramatically increase and retain the information and change their behavior. Personalization touches a wide scope of areas in a people-centric security awareness program including branding, communication tools, content and language.

3. Collaborative Partner

A consultative approach incorporates a partner with the experience and subject matter expertise to help security awareness leaders plan and execute a security awareness program that is designed specifically for their organization alone. Let’s face it, there’s no such thing as a one-size-fits-all security awareness program. A consultative partner in security awareness will bring much to the table by offering expert advice and coaching to help plan and execute a security awareness program and will make sure campaigns are people-centric to motivate users and drive behavior change.

4. Security Awareness 5-Step Framework

To reach any goal in life, it’s helpful to use a proven framework or path to get there. For example, if your goal is to complete a marathon, you wouldn’t start running the week before the event. You would select one of the proven training frameworks that can accommodate your schedule and guide you in your journey of preparing for and finishing a marathon. The same holds true for security awareness. To effectively change employee behavior and build a culture of security, a comprehensive program is key in order to carefully analyze and plan based on the organization’s specific needs and objectives. This can be achieved by applying a proven framework – an ongoing methodological approach consisting of the following five steps: Analyze, Plan, Deploy, Measure, Optimize. Without a methodological security awareness framework, it will be difficult to get people to change their risky behavior. A framework is designed to take everything into consideration, especially how people learn, adopt and maintain new habits, which ultimately leads to a culture of security awareness and dramatically fewer human-connected security breaches.

5. Security Awareness As A Service

The model selected to manage a security awareness program will depend largely on the organization’s resources and expertise. An organization with a large and engaged team whose main focus is to ensure employees are well-versed on security and operate with a security mindset in everything they do, may not need much support from an external partner. However, an organization where the team leading the security awareness strategy and program is one of many areas of focus (this is the case in the majority of organizations) just don’t have the breadth of team internally to support the program. The good news is that security awareness leaders have options and based on their needs can work with a partner to execute the awareness program – providing a little help (tools) or a lot of help (running it by your side from start to conclusion and beyond).

Terranova Security approaches security awareness from a people perspective and has outlined what that involves in the Definitive Guide To People-centric Security Awareness. As you prioritize security training in 2019, download the guide to learn about the elements of a successful people-centric security awareness program that can truly change employee behavior and better protect your organization.

Anastasia Tsimiklis

Connect on LinkedIn 


Get Your Complimentary Gartner Magic Quadrant Report

Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 18 July 2019.



Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The Gartner document is available upon request from Terranova Security.