gettyAs cybercriminals use increasingly sophisticated tactics and AI makes phishing attempts, impersonation scams and other attacks harder to spot, organizations can’t rely on annual compliance training alone. Employees need to be able to recognize threats, make smart decisions and respond confidently when a suspicious message, request or interaction shows up in the course of a normal workday.Cybersecurity training is most effective when it isn’t just another box to check but is practical, relevant and worth employees’ time. Below, members of Forbes Technology Council share ways organizations can make cybersecurity training more engaging so essential security habits are more likely to stick.Teach Employees To Spot Emotional ManipulationTeach people to spot the feeling behind the scam. Many attacks work by making you feel rushed, scared, curious or afraid of getting in trouble. Training should help employees pause and ask, “Why is this message pushing me to act fast?” That habit works across email, Slack, texts and AI scams. - Margarita Simonova, ILoveMyQASimulate AI-Driven ScamsSecurity habits only stick when training mirrors a real attack. Legacy training doesn’t cut it anymore. In our own vishing tests, 92% of AI agent voice clones were treated as humans, with calls averaging 8.8 minutes and some lasting 20. AI-powered, behavior-based training enables custom scenarios to build the instinct to pause, verify through another channel, and protect digital trust. - Kevin Tian, DoppelForbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?Rehearse Threat Scenarios Tied To Real Business RisksTurn security training into rehearsals for real adversaries, not compliance theater. Use scenario-based exercises built around your actual suppliers, executives and data flows, mixing human red teams with AI-generated lures. Then, brief outcomes like an incident review, linking habits to business continuity and geopolitical exposure, not just “phishing awareness.” - Koray Köse, KŌSE ADVISORYPersonalize Training By Role And Risk ProfileGeneric training is noise—employees tune it out because it doesn’t feel relevant to them. The shift that works is when you use AI to personalize training to each person’s role, behavior patterns and the threats they actually face. A finance employee gets different scenarios than a developer. When the threat feels real and specific, people pay attention. Relevance is what makes habits stick, not repetition. - Faisal Fareed, Amazon Web ServicesUse Storytelling To Make Lessons MemorableI have found that Netflix-style security training, like the Inside Man series, has been the most successful type of training. The episodes are short, less than 10 minutes, drama-based and have a short lesson that is clear and easy for end users to understand. I had employees actually ask for more training like that! It was the only style of training where employees wanted more. - John Bruggeman, CBTSShow Employees What Real Threats Look LikeCybersecurity training should be designed in a way that’s useful for employees with low technical proficiency. Show, rather than tell, what common credential harvesting or phishing emails look like. Training modules should be visual and demonstrative. The goal is to develop proficiency in cybersecurity terminology and the technical skills essential for identifying common cyberattack methods. - Kris Lahiri, EgnyteDeliver Coaching At The Moment Of RiskTraditional compliance training is not engaging and doesn’t resonate with today’s AI-native workforce. As AI transforms how we work, organizations must move beyond static training and deliver real-time guidance at the moment of action. For example, advanced data loss prevention systems can help prevent risky behavior while providing relevant, high-impact coaching when it matters most. - Steve Tait, Skyhigh SecurityPair Training With Stronger Identity ControlsA large study last year showed that training only reduced the incidence of an employee falling for an AI-generated phishing scheme by 2%—35% of employees will act on it. I don’t believe any amount of training will put humans in the lead over AI-generated phishing attacks and drive that to 0%. As we move to biometric-assured identity, each person will be the right person on the right domain within proximity of the device logging in—which is basically phishing-proof. - Kevin Surace, Appvance Inc.Run Team-Specific Drills With Quick FeedbackMake training scenario-based and immediate: short, realistic phishing and social-engineering drills tied to each team’s actual work, followed by quick feedback. People remember “I almost clicked that fake vendor invoice” far better than a slide deck, and the habit transfers to real inboxes. - Nolan Garrett, TorchLightPractice Continuously To Reinforce Safer ResponsesThe strongest step we can take is to move toward continuous phishing simulations with immediate feedback and additional training to improve users’ ability to detect and report suspected phishing emails. In an AI-enabled enhanced threat environment, the most effective program is one that repeatedly exposes employees to realistic scenarios, reinforces the right responses, and measures whether safer habits are actually being formed. - Connie McIntosh, EricssonShow How Personal Data Fuels Targeted ScamsMake training personal. Instead of abstract phishing examples, show employees how much of their own digital footprint is publicly available and how easily fraudsters can turn it into a convincing fake profile, email or message. When people see that scams can be built around them specifically, security habits stop feeling theoretical and start feeling necessary. - Artem Lalaiants, RiskSeal, Inc.Build Skills Through Ongoing Behavior ChangeCybersecurity training sticks when it moves from compliance to behavior change. In my experience leading IT transformation, realistic simulations and short, role-based coaching help employees build muscle memory. With AI making scams harder to spot, organizations need continuous practice, not annual training. - Thai VongGamify Training With Evolving Role-Based ScenariosGamify training with realistic, role‑based phishing simulations that evolve over time. When employees experience believable, context‑specific scenarios—not generic quizzes—they actively practice decisions. Immediate feedback reinforces habits, making secure behavior feel practical and memorable rather than theoretical. - Hemant Soni, CAPGEMINI AMERICA INC.Make Security Training ExperientialThe goal should be a mindset shift where people pause, verify, report and build with security. Make cybersecurity training experiential, not instructional. AI phishing simulations and GenAI safe-use labs make threats real, while proactive design controls make secure choices easier than risky ones. Pair this with security-first delivery checks and reports that track real actions—such as scam reporting, approved AI use and early risk closure—so safe habits become muscle memory. - Saurabh GuptaShow The Real-World Costs Of Cyber MistakesReplace procedure drills with consequence stories. Show real breaches, real losses and real human impact. When employees see how one clicked link derailed a hospital or exposed thousands of lives, it stops feeling like compliance and starts feeling personal. Reward those who catch threats. When people understand the stakes and see peers celebrated for vigilance, the habit forms itself. - Aruna Veerappan, UpworkConnect Cybersecurity Lessons To Employees’ LivesMake training useful outside work. Teach employees how to spot AI voice scams targeting parents, fake delivery links, romance fraud, school payment requests and deepfake calls—then map the same cues back to the business. When cybersecurity protects their family, not just the company, attention changes. Personal relevance turns policy into instinct. - Akhilesh Sharma, A3Logics Inc.Back Training With System GuardrailsSecurity training matters, but humans will still make mistakes. The goal is to back training with guardrails, clear ownership and workflows that prevent or minimize the impact of an error. Training works best when the system helps people minimize risks and recover safely, not fail expensively. - Steve Carter, Nucleus SecurityStrengthen Scam Detection Through Collaborative CulturePromoting better collegiality and corporate culture can go a long way toward ensuring that employees know their co-workers and managers. Not only does it result in better team spirit, but knowing each other’s habits also makes it more likely that you can spot something out of the ordinary and thus identify a potential imposter trying to scam you. - Kevin Korte, UniventionReinforce Simple Habits Through Positive RecognitionCybersecurity training works best when it reinforces a few repeatable habits rather than overwhelming employees with lengthy policies. Teach people to pause, verify unusual requests through trusted channels, use multifactor authentication and report anything skeptical. Recognize employees who raise concerns, even when they prove harmless. Repetition and positive reinforcement build instinctive responses, reduce human error and amplify security culture. - Salice Thomas, Wipro Limited