How to Tune Security Training for Specialized Employees TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesbyRob WrightOct 29, 20254 Min ReadApplication SecurityAI-Generated Code Poses Security, Bloat ChallengesAI-Generated Code Poses Security, Bloat ChallengesbyRobert Lemos, Contributing WriterOct 29, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCybersecurity OperationsCyber RiskEndpoint SecurityRemote WorkforceCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.From Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesFrom Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesFrom Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesThe best security training programs build strong security culture by focusing on high-risk groups, including developers, executives, and finance pros.Ericka Chickowski, Contributing WriterOctober 29, 20257 Min ReadSource: UK Black TechOne of the biggest mistakes that low-performing security education programs make is treating security awareness training as if every user impacts security in exactly the same way. Everyone gets the same exact training, no matter their role or knowledge base.But the truth of the matter is that certain power users and certain roles in the organization are going to bring significantly more risk to the table, simply as a function of what they do and the systems they use. Whether they're C-suite executives, developers, DevOps pros, or finance professionals, these specialized and privileged users have access to some of the most sensitive data, and they're also much more likely to use emerging technologies in their daily workflows. Effective end-user security awareness training programs turn these power users into what some experts refer to as "protective stewards.""Protective stewards are the users that are doing all they can to help defend the organization," says Matthew Canham, Ph.D., executive director of the Cognitive Security Institute. These are the employees who not only avoid falling victim to attacks but also proactively report suspicious activity to security, he explains. Personalization Is EverythingThe first step in transforming high-risk employees into protective stewards is recognizing the importance of personalized training. Next-level security training programs never deliver one-size-fits-all content to their users. Highly effective training is highly personalized.Related:From Chef to CISO: An Empathy-First Approach to Cybersecurity Leadership"Personalized means that everybody has their own training program that's dynamic, updated according to what their job roles are, what their abilities are, and what the latest threats are to people in their position," Canham says. For example, a finance employee may require additional specialized training to recognize business email compromise tactics, whereas developers need to be trained on secure coding as well as how to securely provision systems, manage secrets, and apply agent-based artificial intelligence (AI) to their daily workflows.The National Institute of Standards and Technology (NIST) Phish Scale offers a great example of one small but manageable way organizations could get started tailoring training and efficacy measurement to specific user groups, Canham says. This tool factors the content and context of phishing mechanisms and can help organizations customize phishing training and simulations to different user groups."Not only are you looking at cues in that attack, but you're also looking at how closely that attack or that phishing email aligns with that target," he explains. "Somebody in HR is not going to respond to the same types of phishing emails that somebody from customer service or sales will.”Related:NIST Enhances Security Controls for Improved PatchingNot only should content be personalized, but so should training delivery mechanisms, says Jason Nurse, Ph.D., director of science and research at CybSafe. High-performing organizations need more choices and more personalization because some employees may learn better through text than video, for example. He explains that advanced training professionals are starting to take a page from marketers' playbooks to provide more personalized messages in a range of different training mechanisms. "Tailoring things is really important to consider when we're engaging individuals to try to get them to change their behavior," says Nurse, a reader in cybersecurity at the University of Kent.The trick, though, is learning how to balance the pursuit of personalization and user-specific training with respect for users' privacy and also the law of diminishing returns, says Margaret Cunningham, Ph.D., a behavioral scientist and vice president of security and AI strategy at Darktrace. "Beware of overengineering human risk programs. Deep profiling and collecting personal data to predict susceptibility is not only privacy-invasive but also ineffective," says Cunningham, whose doctorate is in applied experimental psychology and who has many years of experience in behavioral interventions for security operations. "There will always be situational factors that no sensor or algorithm can capture."Related:When One Hospital Gets Ransomware, Others Feel the PainExpand Beyond Anti-Phish and MFA TrainingHighly effective human risk management programs bring a broader scope of training to users outside of the old standards of phish prevention and increased multifactor authentication (MFA) adoption. Employees engage in numerous other behaviors that could be adding to cyber-risk. Aligning security training to that reality is crucial — especially when it's directed at employees in high-risk positions.Advanced security training programs widen the lens to include training around other impactful behaviors, such as how financial employees handle regulated data, how IT ops configures cloud stores, or whether employees with access to sensitive facilities allow people to tailgate when they badge into a door. Nurse says his team at CybSafe has been advocating for this for years, but part of the difficulty they face is that many security awareness training programs are one-trick ponies.  Managing actions like avoiding phishing clicks or turning on MFA is dead-simple compared to, say, getting executives not to use untrusted networks when they're traveling."Because they're easy doesn't necessarily mean they should be relied on forever, though," Nurse says. "There are at least 101 different behaviors that we believe people need to measure, think about, focus on, or consider in some way as it relates to the human aspect of cybersecurity."The CybSafe team has been trying to help push the industry in this direction by standing up and investing in the development of an open source security behavior database called SebDB, which maps user behaviors against impacts, threat actor tactics, and security frameworks like MITRE ATT&CK. The goal is to provide open access to a standardized framework that can start getting human risk programs keyed around a broader set of behavioral objectives.Scaffold Training With Strong Technical Guardrails Great training content and messages are one thing, but to really build a culture that fosters risk-averse behavior, an organization needs to buttress those messages with behavioral supports. "The future is coordinated, resilient human/tech systems: least privilege, safe defaults, error-tolerant architectures, and low-friction reporting," Cunningham says. "Pair that with a culture that rewards near-miss reporting and treats mistakes as learning moments, not failures."Organizations should be building the right guardrails directly into systems to make it as easy as possible for users to make secure choices in how they interact with their systems, their accounts, and their data. "Awareness is very important, but awareness is only a component of behavior change," Canham says. "There are certain instances where technical controls have to be put into place."This is what helps fill in the gaps between what Canham refers to as mistakes versus slips, based on a longstanding human error model developed by psychologist James Reason for the aviation industry."Mistakes are based on faulty mental models of situations — this is where awareness training can help. But slips are things like walking in the room with trash in one hand and keys in the other and accidentally throwing your keys away in the garbage and putting trash on the counter," he says. "Training will never do anything to prevent slips, and this is where technical controls are so, so important.”Guardrails are especially crucial for developers, IT operators, and DevOps teams that are managing sensitive systems in fast-paced environments. This has been the case for a long time now, but the situation is exacerbated by the fact that they're now being tasked with using AI agents to make their work more efficient. AI agents independently take actions that could have huge impacts on the security and resilience of systems. Integrate Users Into the Security Operations Feedback LoopWell-trained employees can become the eyes and ears for an organization to quickly respond to fast-moving threats — as long as it provides them the means and the motivation to report on potential security issues. "One of the most common complaints that I get from protective stewards is that they will give feedback to their security departments, and then it's like it just goes into a black hole," Canham says.Just like with a vulnerability disclosure program, it's not good enough to simply stick a reporting email on a website and call it a day. Great security teams need to have people tasked with reading these messages, responding to them, and routing these issues into the detection and response team's workflow. And to make it truly a circular feedback loop, the information fed to the security team from users in specialized vantage points — be it development, finance, or the CEO's corner office — should be baked into threat intelligence that drives future technical controls and tomorrow's wave of security training content.About the AuthorEricka Chickowski, Contributing WriterEricka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.See more from Ericka Chickowski, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Edge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsLatest Articles in The EdgeInside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden RiskOct 28, 2025|4 Min ReadFrom Chef to CISO: An Empathy-First Approach to Cybersecurity LeadershipOct 28, 2025Pwn2Own Underscores Secure Development ConcernsOct 22, 2025|4 Min ReadThe Best End User Security Awareness Programs Aren't About Awareness AnymoreOct 22, 2025|8 Min ReadRead More The EdgeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The article "From Power Users to Protective Stewards: How to Tune Security Training for Specialized Employees" by Ericka Chickowski highlights the critical need for personalized security training programs that address the unique risks and responsibilities of specialized employees, such as developers, executives, finance professionals, and IT operators. Traditional security awareness training often fails because it treats all employees as uniform risk vectors, neglecting the distinct workflows, access privileges, and technological interactions of different roles. The article argues that high-risk groups—those with elevated access to sensitive data or exposure to emerging technologies—require tailored training to transform them into "protective stewards," individuals who actively contribute to organizational security by avoiding threats and reporting suspicious activity. Matthew Canham, Ph.D., executive director of the Cognitive Security Institute, emphasizes that effective training must be dynamic, role-specific, and aligned with evolving threats. For example, finance professionals need targeted education on business email compromise tactics, while developers require training on secure coding practices and the responsible use of AI agents in their workflows. This approach contrasts with one-size-fits-all programs, which often fail to address the nuanced challenges faced by specialized employees.

A central theme is the importance of personalization in both content and delivery methods. Canham advocates for training programs that adapt to individual roles, skill levels, and threat landscapes, using tools like the NIST Phish Scale to customize phishing simulations for different user groups. This tool helps organizations analyze how phishing attacks align with the behaviors and contexts of specific roles, such as HR or sales, ensuring that training is relevant and actionable. Similarly, Jason Nurse, Ph.D., director of science and research at CybSafe, stresses the need for diverse delivery mechanisms—such as text-based modules or video tutorials—to accommodate varying learning preferences. Nurse draws parallels to marketing strategies, suggesting that personalized messaging can enhance engagement and behavior change. However, he also acknowledges the challenge of balancing personalization with privacy concerns. Margaret Cunningham, Ph.D., a behavioral scientist at Darktrace, cautions against overreliance on deep profiling and data collection, noting that human behavior is influenced by unpredictable situational factors. She argues that excessive data mining can lead to privacy violations and diminishing returns, as no algorithm can fully capture the complexity of human decision-making.

Beyond phishing and multi-factor authentication (MFA), the article calls for expanding security training to encompass a broader range of risk factors. Nurse highlights that many traditional programs focus narrowly on low-hanging fruit, such as reducing phishing clicks or increasing MFA adoption, while neglecting other critical behaviors. For instance, financial employees must be trained on handling regulated data, IT operators need guidance on secure cloud configurations, and executives should avoid using untrusted networks while traveling. The CybSafe team has been developing the open-source Security Behavior Database (SebDB) to map user behaviors against threat actor tactics and security frameworks like MITRE ATT&CK. This initiative aims to create a standardized approach for measuring and addressing human risk across diverse roles, moving beyond simplistic metrics. Nurse emphasizes that there are at least 101 behaviors critical to cybersecurity, many of which require nuanced training strategies. By broadening the scope of security education, organizations can better address the multifaceted risks associated with specialized roles.

Technical guardrails are also essential to reinforce training and mitigate human error. Canham explains that while awareness is a component of behavior change, it cannot alone prevent "slips"—unintentional mistakes like accidentally discarding keys in a trash bin. To address this, organizations must implement technical controls that make secure choices the default, such as least privilege access, safe system defaults, and error-tolerant architectures. Cunningham adds that these measures should be paired with a culture that encourages reporting near-misses and treats mistakes as learning opportunities rather than failures. For developers and IT teams, who often work in fast-paced environments with AI-driven tools, guardrails are particularly crucial. The use of AI agents to automate tasks introduces new vulnerabilities, as these systems can independently execute actions with significant security implications. By integrating technical safeguards into workflows, organizations can reduce the likelihood of errors and create a more resilient security posture.

Finally, the article underscores the importance of involving employees in feedback loops that enhance security operations. Canham notes that protective stewards often feel their input is ignored, leading to disengagement. To counter this, security teams must establish processes for receiving, analyzing, and acting on user feedback. This includes designating personnel to review reports of suspicious activity and integrating insights from specialized employees into threat intelligence and future training initiatives. Just as vulnerability disclosure programs require structured responses, security feedback mechanisms should be formalized to ensure accountability and continuous improvement. By fostering collaboration between employees and security teams, organizations can create a more responsive and adaptive approach to risk management.

In conclusion, the article presents a comprehensive framework for rethinking security training by prioritizing personalization, expanding the scope of risk factors, leveraging technical controls, and fostering employee engagement. By addressing the unique needs of specialized roles and aligning training with real-world challenges, organizations can cultivate a culture of proactive security awareness that goes beyond traditional metrics. The insights from experts like Canham, Nurse, and Cunningham highlight the need for a balanced approach that combines behavioral science, technological safeguards, and continuous learning to mitigate human risk effectively.