Is Your Cybersecurity Training Setting You Up for Failure?
SDSU Research Study Unveils the LEAN Solution
Cyber threats are a daily reality, yet many organizations unknowingly weaken their defenses with ineffective training programs according to researchers from San Diego State University’s Digital Innovation Lab (DiLab). Despite cybersecurity’s strategic importance, they suggest that conventional staff training often misses the mark — overloading employees with redundant, irrelevant, or impractical information.
A groundbreaking study from Fowler College of Business management information professors Kaveh Abhari, Morteza Safaei Pour, and Hossein Shirazi, published in the December 2024 issue of MIS Quarterly Executive reveals that cybersecurity readiness programs may be fundamentally flawed — particularly for non-technical employees. In response, the researchers introduce a new framework designed to improve training effectiveness: the LEAN Model (Localize, Empower, Activate, Normalize).
Open the image full screen.
The Problem: Mistraining and Overtraining
Many cybersecurity programs overwhelm employees with excessive or repetitive information that is neither relevant nor actionable.
“When training bombards employees with generic cybersecurity lessons, it dilutes their ability to respond effectively to real threats,” said Abhari. “The result? Confusion, disengagement, and ultimately, a false sense of security.”
Through a survey of employees—including those from Big Four accounting firms—the researchers uncovered alarming insights:
- Irrelevance: Employees found training materials disconnected from their actual job functions.
- Tediousness: Many admitted to skimming or skipping content due to redundancy.
- Emotional distress: Some employees feared unintentionally triggering security breaches.
- Hesitancy: Others were reluctant to report threats, fearing potential repercussions.
“It’s hard to take (training) seriously when it feels like ‘Cybersecurity 101’ for everyone,” lamented one respondent.
Worse, ineffective training led employees to avoid sensitive tasks, neglect critical security procedures, and even resist digital tools — compromising organizational security and productivity.
The Solution: LEAN Cybersecurity Training
To combat these issues, the researchers propose the LEAN methodology, a streamlined, role-specific approach that empowers employees rather than overwhelming them.
How LEAN Works:
- Localize – Tailor training to employees’ specific roles, ensuring relevance and engagement.
- Empower – Designate select employees as cybersecurity advocates, equipping them with the authority and knowledge to act decisively.
- Activate – Integrate cybersecurity best practices into daily workflows, fostering team-based security strategies.
- Normalize – Make cybersecurity a seamless part of routine operations, reducing friction and fear.
“The LEAN model transforms cybersecurity from a dreaded chore into a natural workplace habit,” Abhari explained. “While it won’t turn every ‘weakest link’ into the strongest, it builds a resilient network where each link plays a critical role.”
Beyond Research: Helping San Diego Businesses Adopt LEAN
Recognizing the urgent need for more effective cybersecurity readiness, Abhari and his team are now working directly with businesses in San Diego to implement the LEAN model. By partnering with local organizations, they are helping companies redesign their cybersecurity training programs, ensuring that employees receive targeted, job-specific instruction that strengthens overall security posture.
“This isn’t just theory—we’re actively helping businesses put LEAN into practice,” says Abhari. “Our goal is to make cybersecurity training an asset, not an obstacle, for companies across San Diego and beyond.”
Read the full study in MIS Quarterly Executive, December 2024.
