Dr Jessica Barker: Three Critical Pitfalls That Undermine Security Awareness

Cyber Security Awareness Month has just wrapped up, and the headlines were filled with massive breaches—from Yahoo’s historic data loss to the Dyn DDoS attack. While the month succeeded in sparking conversations about threats, a deeper question remains: what is the real goal of security awareness? Without a clear answer, many organisations fall into dangerous traps that actually worsen employee behaviour.

Dr Jessica Barker, a sociologist turned cybersecurity consultant, warns that awareness-raising done poorly can cause more harm than good. She identifies three core security awareness pitfalls that leaders must address to create lasting change: fatigue, fear, and false flags.

1. Security Fatigue: When Too Much Awareness Backfires

The first pitfall is security fatigue, a phenomenon documented by NIST. Their research found that employees become overwhelmed by constant warnings—”watch out for this, watch out for that”—and eventually tune out. One participant admitted, “I think I am desensitized to it.”

This is the opposite of what awareness campaigns intend. Instead of engaging people, poorly designed training exhausts them. NIST recommends limiting the number of security decisions users must make and simplifying the path to the right action. Dr Barker adds that training must be engaging and innovative, not a list of don’ts. The key is to explain why a behaviour matters, helping employees connect the threat to their own reality. When people understand how an attack actually unfolds, they are far more likely to adopt safer habits.

2. Fear: Scaring People the Wrong Way

Cybersecurity professionals often rely on fear—showing worst-case scenarios to motivate action. But Dr Barker argues this is a critical security awareness pitfall. When people are simply scared, they retreat into denial (“I won’t get hacked”) or avoidance (“I’ll just stop using the internet”). Neither response leads to better security.

Drawing on psychology and sociology, she explains that fear must be delivered in a supportive context. Effective training acknowledges the threat but immediately offers actionable, achievable steps. For example, if you ask employees to use complex passwords, you must also provide a password manager. If you want them to enable two-factor authentication, walk them through the setup. Awareness that scares without empowering fosters helplessness, not vigilance.

As Dr Barker puts it: “If you are asking people to have more complicated and unique passwords, how are you going to recommend they manage those passwords?” The answer lies in support, not shock.

3. False Flags: The Danger of Misidentifying Insider Threats

The third pitfall involves raising awareness about malicious insiders. When training profiles a “typical” insider—disgruntled, working late, accessing unusual files—employees may start seeing patterns where none exist. This is similar to the Baader-Meinhof phenomenon, where new knowledge makes us notice it everywhere.

The result? Innocent colleagues get falsely accused, creating HR nightmares and eroding trust. Meanwhile, the flood of false reports desensitises security teams, so when a real threat emerges, it may be ignored—the classic “boy who cried wolf” scenario. Dr Barker stresses that awareness must include context: fitting a profile does not equal malicious intent. Training should teach employees to report suspicious behaviour without jumping to conclusions, and security teams must treat every report seriously while avoiding bias.

How to Avoid These Security Awareness Pitfalls

Avoiding fatigue, fear, and false flags requires a strategic shift. Instead of checking a compliance box, organisations should design awareness programmes that inform, support, and empower. This means investing in engaging content, providing practical tools, and fostering a culture where security is a shared responsibility—not a burden.

For more on building effective cybersecurity cultures, read our guide on how to build a cybersecurity culture and explore security awareness training best practices.

As Dr Barker concludes, remembering the three Fs—fatigue, fear, and false flags—can help organisations turn awareness into action. The goal is not to scare people into compliance, but to equip them with the understanding and tools they need to protect themselves and their organisation.