One of the quiet killers in security programs isn’t the big, headline-grabbing breach. It’s something subtler: desensitization

Staff get hit with constant warnings: phishing simulations, mandatory e-learning, “urgent” posters on the noticeboard, and news stories about the latest ransomware attack. After a while, it all blends into background noise and static fuzz. People start to skim over alerts. Clicks creep up on phishing tests. The edge dulls.

That’s dangerous. Attackers thrive on fatigue. They know that if you’re tired of being told to watch out, you’re more likely to slip. The question is: how do we keep staff sharp without burning them out?

Here are a few ways to fight desensitization and build a security culture that sticks.

Vary the Stimulus

Repetition is the fastest way to get people tuning out. If your phishing simulations all look like the same fake Microsoft login, staff will spot the pattern and then ignore anything outside it. Likewise, annual e-learning that hasn’t changed in three years becomes a box-ticking exercise.

Mix it up. Use different scenarios in your phishing campaigns: fake delivery notifications, bogus internal memos, slick LinkedIn invites. Run some simulations right after a real-world breach hits the headlines, so the threat feels fresh. Swap out dry slide decks for interactive workshops, videos, or even short videos/podcasts. Variety is what keeps engagement alive.

Show the Stakes

Abstract talk about “data loss” or “compliance fines” rarely lands. People don’t stay awake at night worrying about ISO standards. They worry about their job, their customers, and their reputation.
‍
So tie the message to real-world consequences. Show don’t tell. What would it mean for the finance team if payroll were locked down by ransomware the day before salaries go out? What would it do to client relationships if an attacker stole draft contracts from your shared drive? When staff can see how a mistake impacts their work, vigilance stops feeling like an abstract duty and starts to feel personal.

Keep It Human, Not Bureaucratic

A lot of security communication reads like a legal disclaimer: dry, technical, and full of weird acronyms. Nobody remembers that.

Instead, tell stories. Share anonymized case studies from your own industry. Use “near misses” from your organization (sanitized, of course) as learning moments. “We caught a phishing email last month that looked like an invoice from a supplier. Here’s how we spotted it.” Humans are wired to remember narratives, not checklists.

Asking For Access

Too often, access is handed out like party favors. Staff inherit logins “just in case,” leading to sprawling permissions and forgotten accounts.

Treat privilege as a teachable moment by adopting zero standing privileges. With just-in-time access, staff request permissions only when needed and lose them when the task is done. Access stops being an entitlement and becomes a deliberate act.

The benefits are threefold: fewer standing privileges for attackers to exploit, tighter compliance with international cybersecurity standards, and a constant reminder that access is a responsibility, not a right. Automated approvals for access security and chat-based workflows keep it quick, but the very act of asking makes staff pause: “I’m handling something valuable. Better treat it carefully.”

Privilege management doesn’t just tighten controls; it builds a culture where security is conscious, not invisible.

Praise and Reward Good Catches

If the only time staff hear from security is when they’ve clicked the wrong link, you’re building a culture of fear and shame. And shame leads to silence — the very last thing you want when an actual incident happens.

Flip the script. Celebrate people who report suspicious emails. Give small rewards — a shout-out in the team meeting, a coffee voucher, even a cheeky leaderboard for most reported phishes. Recognition reinforces behavior far more effectively than punishment.

Drip Feed, Don’t Firehose‍

Nobody remembers the two-hour marathon training session six months later. What works is steady, regular nudges.

Think short, digestible pieces: a quick monthly security tip in the internal newsletter, a one-minute explainer video in Slack, or a short quiz with a small prize. Keep it frequent, varied, and light-touch. That way, cybersecurity stays in people’s peripheral vision without overwhelming them.

Make It a Team Sport

‍Security isn’t “the IT department’s job.” When it feels like that, people shrug responsibility and assume someone else will handle it.

Instead, frame it as a shared effort. Get managers modelling good behavior (reporting phishes, locking screens, calling out risky habits). Set up friendly competitions between teams — who can spot the most phishing attempts this quarter? Bake security checks into project retros so it’s seen as part of “how we do work,” not an add-on.

Close the Loop

One of the quickest ways to kill reporting is to leave staff in the dark. If someone takes the time to escalate a suspicious email and then hears nothing back, they assume it didn’t matter. Next time, they won’t bother. 

Always close the loop. If someone reports something, send them a quick note: “Thanks, that was a phishing attempt, and you were right to flag it.” Or: “Good catch — it turned out to be safe, but reporting was the right move.” Even small acknowledgements build trust and reinforce the habit.

Culture Beats Fear‍

You can’t scare people into caring forever. Fear fades. Headlines blur. The only lasting defense is culture.

That culture is built on curiosity (“I wonder if this is suspicious?”), accountability (“If I see it, it’s my job to say something”), access automation, and pride (“We don’t get caught like the company down the road”). It’s about making security part of the everyday fabric of work, not a dreary compliance ritual that leaves them desensitized to cyberattacks.

A Practical Next Step

If you want to put this into practice, try sketching out a six-month plan with rhythm and variety. Alternate phishing campaigns with quick training refreshers. Share a story from your industry each month. Celebrate staff who report issues. Keep the communication human, light, and regular.

“Tell me and I forget; Teach me and I may remember; Involve me and I learn.”
- possibly Benjamin Franklin or possibly Confucius.

Do that, and you won’t just keep staff alert. You’ll build a workforce that sees security not as background noise, but as part of how they protect their own work, their colleagues, and the business itself.

And that’s the real win. Not just fewer clicks on fake emails, but an organization that’s harder to wear down, harder to fool, and harder to break.