Awareness isn’t the goal, it’s just the beginning

Share Now


When people refer to PhishMe as the awareness company, we smile and nod. I want to correct them, but the label ‘security awareness’ is comfortable and relatable. One of the activities that organizations commonly believe will help reduce risk is mandatory security awareness computer-based training (CBT) lessons.  The hope is that if we enroll our humans in online courses about how the bad guys hack us, they will walk away with a wealth of new-found awareness and avoid being victimized.  (Try to visualize how far in the back of my head my eyes are rolling…)

The fact remains that the bad guys are hacking us using phishing with credible sources indicating that 90% of breaches begin with phishing. I’d be shocked by a survey claiming 90% of users are unaware of what phishing is.

Does Awareness = Behavior Change?

One of the reasons PhishMe exists is because forced CBT awareness activities simply don’t have a measurable impact on phishing risk reduction. Contrary to the weakest-link rhetoric, users are smart, and not only can they change their behavior, they can also smell the stench of compliance which leads to irritation (see my previous blog on this topic – While you may have seen us fly under the awareness banner once or twice, our mission has always been about conditioning employees, through real world simulations, to identify and report suspicious emails.

Despite our vocal stance on this topic, we continue to receive requests to provide awareness CBTs. We are troubled to see that organizations are paying thousands of dollars for awareness CBTs that don’t do any good other than check a compliance box. It’s time for a paradigm shift. Today, we introduced our own CBT initiative – CBFree — We are giving away security awareness CBTs for FREE. You read that right – FREE. Why pay for something that doesn’t work when you can get best-in-class awareness CBT content at no charge? What’s the catch? There is none.

Free doesn’t mean Junk

CBFree does not use obsolete content. Our flagship simulation solution requires us to employ the best people to produce timely content. We have an amazing content management team that prides itself in producing fresh, compliant, and relevant content. Our content team isn’t going anywhere, in fact, we expand it every year.  Rest assured, next year when you need more box-checking awareness CBTs, it will be quality.

Easy to understand, use and adapt

Our library of awareness CBTs includes 12 modules that were developed using the latest eLearning techniques and trends that promote substantial engagement by the pupil. Each module takes about 5 minutes to complete, with an optional 5 minutes of interactive Q&A.

In addition, we are making the process of implementing these CBTs in your environment very simple. If you have a Learning Management System (LMS) that ingests SCORM-compliant materials, just download the files and run the training through your own LMS.  No LMS? No problem. We are also providing fully interactive lessons in PDF form.

Do you have to deliver awareness CBTs to keep the auditors happy?  Get started now by reviewing the module descriptions here and check that box!

To be clear, PhishMe is not moving away from what we do best. We are simply removing a speedbump that is slowing you down from the true goal; behavior change. PhishMe Simulator, the industry gold standard, still delivers the same measurable program as always.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.