Most cyber training is built on a quiet assumption: that when a security decision matters, people will have the time, focus, and mental space to make a good one.
That assumption is rarely questioned, and it underpins everything from awareness sessions and policies to how incidents are later explained. Yet it sits uncomfortably with how work actually happens.
In practice, many security decisions are made while people are busy, interrupted, or under pressure, expected to notice something subtle, challenge a request, or slow a process down in the middle of competing demands. The issue is not that people do not understand risk, but that the conditions required to apply that understanding are often missing when it matters most.
The gap between how cyber training imagines decision-making and how decisions are actually made is where a significant amount of cyber risk quietly lives. Until that gap is acknowledged, even well-intentioned training will continue to struggle under real-world conditions.
Cyber training assumes ideal conditions
If you look closely at most cybersecurity awareness training, policies, and guidance, a consistent pattern emerges. They are written as if security decisions are made in isolation, under calm conditions, and with time to think.
Training materials often assume people are working through tasks one at a time, able to give their full attention, free from interruption, and mentally available when something suspicious appears. Scenarios are presented cleanly, with obvious warning signs and clear choices. The implication is that if someone has been shown what to look for, they will naturally recognise it when it matters.
That framing makes sense on paper. It is tidy, logical, and easy to assess. But it quietly ignores how work actually unfolds.
In real environments, people rarely encounter security decisions as standalone moments. They appear mid-task, between meetings, during interruptions, or alongside competing demands that all feel legitimate and urgent. An email is opened while preparing for a call. A message arrives while resolving another issue. A request is acted on quickly because it fits into an already crowded workflow.
Most training does not reflect that reality. It teaches recognition without context, and caution without acknowledging the cost of applying it. Slowing down to verify something is rarely framed as a decision that competes with deadlines, expectations, or social pressure. As a result, training can unintentionally present security as something that happens outside of normal work, rather than within it.
There is also an implicit assumption about authority and comfort. Many scenarios assume people will feel able to question requests, challenge instructions, or delay action without consequence. In practice, that is not always true. Hierarchies, client relationships, and organisational culture all influence how safe it feels to pause or push back. Training that ignores those dynamics sets people up to struggle when the theory meets reality.
Cyber training also tends to assume consistency of mental state. It rarely accounts for fatigue, stress, or cumulative cognitive load across a working day. Guidance is delivered as if people will be able to recall and apply it with the same clarity at 4pm on a busy afternoon as they did at 10am in a training session.
When training assumes ideal conditions, it places the burden of adaptation entirely on individuals. People are expected to bridge the gap between theory and reality on their own, in the moment, under pressure. When that gap proves too wide, the failure is often attributed to attention or behaviour, rather than to the assumptions built into the training itself.
This is not a flaw of intent. Most training is designed to be clear and accessible. The issue is that clarity achieved by simplification can come at the cost of realism. Without acknowledging the environments people actually work in, even well-designed training can struggle to hold up when conditions are anything but ideal.
What pressure actually does to judgement
Under pressure, people do not simply make faster versions of the same decisions. The nature of decision-making itself changes.
As cognitive load increases, attention narrows. People stop scanning broadly and start focusing on the most immediately relevant cues. Subtle inconsistencies are easier to miss, and contextual warning signs are filtered out in favour of whatever appears to move the task forward.
Scepticism also drops. When time or mental bandwidth is limited, questioning information feels effortful and disruptive. Requests that align with expectations, authority, or familiarity are more likely to be accepted at face value, particularly if they offer a clear path to completion.
Pressure increases reliance on habit. Instead of consciously evaluating a situation, people fall back on learned patterns and prior experience. If responding quickly has been rewarded in the past, speed becomes the default. If compliance has usually been safe, compliance feels reasonable again.
There is also a shift in perceived risk. Under load, the immediate cost of delay or challenge often feels more tangible than the abstract possibility of a security incident. The risk that is closest in time — holding someone up, missing a deadline, appearing unhelpful — outweighs the risk that feels distant or hypothetical.
None of this requires panic or stress in the dramatic sense. These effects occur quietly, in ordinary working conditions, and they affect everyone. The issue is not that people forget what they have been taught, but that the mental conditions required to apply that knowledge are temporarily unavailable.
This is why so many cyber incidents involve capable, conscientious people. The decision did not fail because they lacked awareness, but because pressure reshaped how judgement was exercised in that moment.
Why “human error” is the wrong explanation
When an incident is reviewed, the explanation often collapses into a familiar phrase: human error.
Someone clicked the link. Someone shared the information. Someone didn’t spot the signs.
I’ve seen this framing used repeatedly, and it’s always unsatisfying — not because it’s technically wrong, but because it stops the conversation far too early.
In practice, “human error” tells us very little. It describes the outcome, not the conditions that produced it. It focuses attention on the individual at the end of the chain, rather than on the environment they were working in when the decision was made.
In almost every case I’ve encountered, the person involved wasn’t careless or disengaged. They were doing their job under pressure. They were interrupted, juggling competing priorities, responding quickly, or trying not to become a blocker. The decision they made felt reasonable at the time, given what they could see and the mental bandwidth they had available.
Labelling this as error implies a lapse in attention or judgement that sits entirely with the individual. What it fails to acknowledge is how predictable these outcomes are when people are expected to make subtle security decisions in high-load environments.
There’s also a quieter consequence. When incidents are framed as personal mistakes, people learn that being associated with an issue carries risk. That makes hesitation, silence, and delayed reporting more likely — which is exactly the opposite of what effective security depends on.
If we want to understand why incidents happen, and reduce the likelihood of them happening again, we have to move beyond “human error” as a catch-all explanation. Until we examine the conditions under which decisions are made, we’re not really analysing the problem — we’re just naming who happened to be involved when it surfaced.
Where awareness training quietly falls short
Most cybersecurity awareness training is built around recognition. It teaches people what phishing looks like, how scams sound, and which warning signs to watch for. That focus is understandable. Recognition is measurable, assessable, and relatively easy to standardise.
And to be clear, it matters. People do need to understand common attack patterns and techniques. Without that baseline, everything else becomes harder.
The problem is that recognition alone does not translate reliably into safer decisions.
Awareness training often assumes that once people know what to look for, they will be able to apply that knowledge when it matters. In practice, that assumption only holds under favourable conditions. When time is limited, attention is fragmented, or pressure is high, the ability to consciously recall and apply guidance drops sharply.
This is where many programmes quietly fall short. They focus on what to spot, but spend far less time preparing people for how decision-making actually feels in real situations. Very little training addresses the mental state people are likely to be in when a threat appears, or how judgement shifts under load.
There is also a tendency to frame good security behaviour as a simple matter of choice. If the red flags are present, the “correct” decision is assumed to be obvious. In reality, many real-world scenarios are ambiguous. Messages look plausible. Requests make sense in context. Acting quickly often feels reasonable, and sometimes expected.
Social dynamics further complicate this. Requests that appear to come from senior colleagues, trusted partners, or familiar contacts carry weight. Challenging them requires confidence, psychological safety, and a sense that slowing things down will be supported. Awareness training rarely addresses these pressures directly, even though they play a significant role in real incidents.
Another gap lies in how training treats reporting and escalation. People are often told what to report, but not how uncertainty should be handled. When it is unclear whether something is genuinely suspicious, the perceived cost of being wrong can outweigh the perceived benefit of speaking up. Without explicitly addressing this, training can unintentionally reinforce silence rather than encourage early intervention.
As a result, awareness training can succeed on paper while struggling in practice. People leave sessions informed, but not necessarily prepared for the conditions under which they will need to act. Knowledge is present, but fragile, easily disrupted by the realities of modern work.
None of this means awareness training is ineffective or unnecessary. It means it needs to be designed with a fuller understanding of human behaviour, pressure, and context. Without that, training risks becoming something people understand in theory but cannot reliably apply when it matters most.
The human limits we rarely name
There are practical human limits that cyber training often avoids naming directly, even though they shape security decisions every day.
People work while interrupted. They make decisions between meetings, during notifications, or while switching between tasks that all feel urgent. Attention is fragmented long before a suspicious email or unexpected request appears.
People operate under time pressure. They are expected to respond quickly, keep work moving, and avoid becoming a blocker. Slowing a process down to verify something can feel risky in itself, particularly in environments where speed and responsiveness are rewarded.
People carry cognitive load that has nothing to do with cybersecurity. Deadlines, performance expectations, personal concerns, and emotional stress all compete for mental space. By the time a security decision appears, judgement may already be degraded.
People are influenced by social dynamics. Requests that appear to come from senior colleagues, clients, or trusted partners are harder to challenge. Politeness, hierarchy, and the desire to be helpful all play a role in how decisions are made.
People hesitate to escalate or report when they are unsure. If the cost of being wrong feels higher than the cost of staying quiet, issues are more likely to go unreported until they become incidents.
None of these are failures of character or awareness. They are normal features of modern work. When cyber training ignores them, it places responsibility entirely on individuals while leaving the conditions that shape behaviour untouched. That does not create resilience; it creates fragility hidden behind compliance.
What better cyber education accounts for
More effective cyber education does not assume perfect judgement or ideal conditions. It starts from a more realistic understanding of how decisions are actually made at work.
It recognises that people will sometimes be tired, distracted, or under pressure, and that security decisions often appear alongside competing demands rather than in isolation. Instead of expecting people to apply complex guidance in those moments, better training prepares them for imperfection. It reinforces simple pause points, supports verification without embarrassment, and treats uncertainty as something to surface rather than hide.
Crucially, it acknowledges that the safest choice will not always feel efficient or convenient. Slowing down, questioning a request, or escalating a concern can feel socially awkward or disruptive, particularly in fast-moving environments. Better education makes that tension explicit and gives people permission to prioritise safety even when it runs against momentum.
This approach also reframes how organisations think about cyber risk more broadly. Cybersecurity rarely fails because people do not care or lack awareness. It fails when systems, processes, and training expect levels of attention, clarity, and mental capacity that are not realistically available at the moment a decision is required.
Acknowledging human limits is not a lowering of standards. It is an alignment of expectations with reality. When training is designed around how people actually work — rather than how policies imagine they do — it becomes more resilient under pressure, not less.
Ultimately, improving cyber outcomes is less about adding more rules or more awareness content, and more about being honest about the human conditions in which security decisions are made. When education reflects that reality, it stops asking people to bridge the gap alone and starts supporting them where risk genuinely lives.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
