It\u2019s no exaggeration to say that most employees hate taking cybersecurity awareness training. It doesn\u2019t have to be that way. I know of many security awareness training managers that do it so well that their employees not only enjoy it but ask for more of it. I know you think I\u2019m lying, but I\u2019m not. Here are some common complaints of security awareness training and how to make your users love it.1. Cybersecurity awareness training is boringIt can be boring, at least the way most organizations do it. Make it more exciting, vary it, and make it a game. The average security awareness training involves a video presentation done by someone who could be explaining how babies are born or explaining the periodic table of the elements. It\u2019s staid and unemotional. You\u2019re lucky if it has some graphic elements or music in it.I\u2019m not saying that your security awareness training video has to be done with the shock jock energy of Robin Williams in the movie Good Morning, Vietnam, but you want your training to err on the side of too much energy.The best training videos I\u2019ve seen are from energetic presenters who know how to vary their voice and emotional pitches. They bring us along for the ride. Some of the most impressive videos I\u2019ve seen use professional actors, cool backgrounds, background music, have storylines, and are shot by Hollywood-style production teams. It isn\u2019t just one-camera shots from an iPhone with someone standing in front of a screen or chalkboard.Security awareness training videos that look like professional, Netflix-style episodes are the ones I\u2019ve seen employees ask for more of. Security awareness training companies do this sort of thing, or professional production companies will customize videos for your company. (Full disclosure: I work for a security awareness training company.)Vary the training. If all you\u2019re doing is showing videos, no matter how exciting they are, it\u2019s going to get boring, especially if it\u2019s the same style all the time. Instead, switch training content up. Use some videos that are entirely comics. Gamify the training. I\u2019m not a gamer but turning education into a game appeals to a lot of people.One of the most common games I\u2019ve seen in security awareness training is where simulated, fake, phishing emails are sent to end-users, and the end-users are given a \u201cbutton\u201d in their email client that they can click to report any suspected phishing email. If the end-users of a group report 100% of the fake phishing emails in a given time period, they receive a reward. It can be special recognition in a company newsletter, gift cards, or a pizza party, for instance. The great part of this is that the users will be more likely to report real phishing emails having been part of the game.2. Employees don\u2019t understand the importance of security awareness trainingMost end-users don\u2019t understand the importance of security awareness training. When I was at Microsoft, every year I had to take training on the \u201cForeign Corrupt Practices Act\u201d so I wouldn\u2019t accidentally bribe a foreigner to buy Microsoft products or be bribed by a foreigner. My job in no way could ever be stretched to put me in a situation where that was going to be a possibility. I hated wasting my time on that training.Most employees feel that way about all training, or at least training on something that hasn\u2019t impacted their lives yet. Make sure that employees know how important security awareness training is to their own success and to the organization\u2019s.If the organization has been hacked, don\u2019t hide the details. Let all employees know how it happened, what the hacker did, and how it could have been avoided. The best security awareness training videos I saw included the organization\u2019s own employees relating how they got phished into clicking on something they shouldn\u2019t have. They could see a coworker sharing how it happened, what mistakes they made, and what they could have done better.Share the real-life stories of organizations like yours that have been hurt by cybersecurity incidents. With ransomware rampant, there are plenty of stories of companies and even entire cities shutdown for days to weeks, or that never recovered from a single cybersecurity event and shut down.3. Security awareness training isn\u2019t personalIf you want to make someone care, make it personal. Don\u2019t just train them for protecting your business. Let employees know you care about them and their families. Give them training and tools to help them be more cybersecurity aware at home. Employees who train their spouses, parents, and children in cybersecurity awareness will be one of your best defenders at work.4. Security awareness training isn\u2019t timelyMake sure your security awareness training program is personalized, targeted to the user\u2019s role, and appropriate for the time of the season. I didn\u2019t like taking Foreign Corruption Practices Act training when it didn\u2019t apply to me. No one would.For example, don\u2019t give training on how to avoid fake invoices and malicious wiring transfers to employees who don\u2019t pay bills. When tax season rolls around, however, make sure all employees are trained on how to avoid fake W-2 information request schemes for their personal tax identification information, and that HR\/payroll department employees receive training in how to avoid fake W-2 information requests from someone claiming to be their organization\u2019s tax processor. Give instructions on how to avoid fake gift card scams around Christmas. Instruct people on how to appropriately patch their systems and how to appropriately recognize their installed anti-malware programs so they can\u2019t be fooled by a fake version of either.5. Security awareness training feels punitiveA lot of employees have told me how security awareness training seems one-sided and punitive. They have to take the training in a certain amount of time or they\u2019ll get in trouble. You\u2019ve got to motivate people to take the training, but if you make it fun and different, you can motivate people to want to learn more. The gamification I talked about earlier is a good way to do it.For example, tell every employee who reports 100% of all real and simulated phishing emails for a year, that they will get an Amazon gift card. Make the amount enough so that they will care. Then tell them to watch a few videos to learn about what to be on the lookout for. Tell them every month they\u2019ll get a different topic and that they\u2019ll be tested on that topic and others in the following month. One month the topic is W-2 phishing and the next it\u2019s a \u201cclean desk\u201d or screensaver lock audit. The gift card might cost your company $25, $50 or $100, but the return of a well-trained employee will be far more than that.On a related note, I\u2019m often asked if an employee should be fired or disciplined for failing a test or a real threat event. I know of companies, often in the financial industry, that will fire employees for one failed phishing email. I (and a thousand others) can phish anyone. If you signed off on that policy, know that someone can easily phish you.You might think you can\u2019t be phished, but you can. It has nothing to do with intelligence or street smarts. Everyone can be tricked. Everyone can make a mistake. I don\u2019t understand unforgiving or overly harsh penalties, especially for first-time offenses. You will get far more productivity from an employee who feels valued and who has been given the appropriate training.This is not to say that someone who always clicks on everything and does nothing to help strengthen your organization\u2019s cybersecurity shouldn\u2019t face consequences. Maybe those consequences are locking down their browser and email system so they can only communicate with pre-approved places and people, at least until they prove on successive future tests that they are responsible citizens who care about the organization. Having a locked down workstation is a pain, but at least they will understand the penalty and be given a chance to grow and improve.Mastering Cybersecurity Awareness TrainingIf you are in charge of your organization\u2019s computer security awareness program and you haven\u2019t already read Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behavior, you should. It\u2019s written by my friend and co-worker, Perry Carpenter. Perry ran security awareness training for a big company and then monitored the industry as a Gartner analyst. The book is far more about human psychology and what really motivates people to listen and learn than computer security education. It gets to the root of the issue.I know many companies whose cybersecurity awareness training programs use all these tactics. They and their employees are better, happier, and safer because of them.