Cybersecurity as a Design Discipline: Creating User-Aware Security Awareness Campaigns
By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering
Looking for a security engineer? Visit SecurityEngineer.com
Disclaimer: This article is for educational purposes only and does not constitute legal advice.
Executive Summary
Security awareness programs often fail—not because users don’t care, but because the training wasn't designed for how people actually learn, behave, or interact with risk. Treating cybersecurity awareness as a design discipline allows organizations to create education campaigns that are contextual, intuitive, and behaviorally effective. This article breaks down how to apply design thinking, communications strategy, and user-centered design principles to build security awareness programs that resonate with employees and stand up to legal scrutiny.
1. The Problem with Most Security Awareness Programs
Many security awareness campaigns rely on stale content: generic phishing templates, annual compliance videos, and punitive quiz scoring. While they may technically “check the box,” they fail to:
- Change user behavior over time
- Generate internal buy-in
- Build resilience against evolving threats
In high-performing organizations—especially those dealing with sensitive client data, intellectual property, or cross-border operations—this approach is no longer sufficient. The legal, financial, and reputational stakes are too high.
To create measurable change, cybersecurity awareness must be reframed as a design challenge, not a technical afterthought.
2. Why Security Awareness Must Be Designed—Not Just Deployed
Traditional training models assume employees are blank slates who will follow rules once told. In reality:
- Employees bring different risk profiles based on their roles, incentives, and digital habits
- Generic messaging fails to connect with specific job functions
- Repetitive, fear-based content leads to message fatigue and disengagement
Design thinking flips the model. It asks:
How can we build training for the user, not just at the user?
That means applying core design principles:
- Empathy – Understand employee pain points with security
- Context – Deliver training at the point of need, not months later
- Clarity – Strip away jargon; use clean, relatable language
- Feedback Loops – Offer two-way communication and visible outcomes
- Visual Communication – Emphasize clarity, brand alignment, and digestibility
3. Collaborating with Communications: Security x Storytelling
One of the most overlooked assets in cybersecurity awareness is the internal communications or marketing team.
These professionals already understand how to:
- Build brand-consistent narratives
- Craft emotionally resonant messages
- Segment audiences for relevance
- Drive internal engagement
Case Study Example: Security & Communications Collaboration
When launching a new phishing simulation program, we co-designed the campaign with communications leads to:
- Use internal tone-of-voice guidelines instead of generic training language
- Customize visuals to match internal tools (e.g., SharePoint, Slack, Google Drive)
- A/B test different campaign taglines and calls to action
- Insert humor, empathy, and storytelling into policy reminders
The result: higher engagement, less backlash, and a measurable reduction in repeated phishing clicks.
4. Designing Behaviorally Intelligent Phishing Simulations
Most phishing simulations fail because they feel artificial, irrelevant, or patronizing. A better approach uses real user context, iterative design, and behavioral reinforcement.
Design Process for Phishing Simulations:
- User Research
- Interview users across departments about daily email habits
- Observe workflows where phishing risk is highest (e.g., finance, legal, vendor management)
- Realistic Threat Modeling
- Create scenarios mimicking actual workflows: invoice requests, project file links, urgent HR messages
- Localize content to regional teams and communication styles
- Post-Click Training Redesign
- Instead of “you failed,” deliver an interactive explainer showing:
- Clues that could’ve tipped them off
- What could’ve happened in a real attack
- What to do next time
- Instead of “you failed,” deliver an interactive explainer showing:
- Feedback Channel
- Offer employees the chance to rate phishing emails or suggest scenarios
- Normalize vulnerability reporting over punishment
5. Building Security Personas to Tailor Campaigns
Employees aren't a monolith. They have different levels of technical fluency, risk exposure, and motivators.
Creating security personas allows you to map training to their needs:
| Persona | Traits & Tools Used | Risks | Ideal Approach |
|---|---|---|---|
| Creative Professionals | Mobile-first, external-facing | Oversharing, file mishandling | Visual storytelling, just-in-time nudges |
| Finance Staff | Workflow-driven, inbox-heavy | BEC, invoice fraud | Scenario-based simulations |
| Executives | High-trust, low-time availability | Whaling, travel-based phishing | Concise, narrative-based training |
| IT Staff | Technically fluent, tool-heavy | Privileged access abuse | Technical breach walk-throughs |
This personalization leads to significantly better knowledge retention and behavioral outcomes.
Metrics That Prove Real Impact (Beyond Quiz Scores)
| Metric | What It Measures | Why It Matters |
|---|---|---|
| First-Time Click Rate vs. Repeat Click Rate | Frequency of users clicking phishing simulations | Differentiates between unaware users and persistent risk takers |
| Time to Report Phishing Simulations | Speed of user response after receiving a phish | Measures reflexes and internalized vigilance |
| Voluntary Reporting of Real Threats | Proactive submissions outside of simulations | Indicates real-world engagement and cultural maturity |
| Participation in Opt-In Campaigns or Discussion Channels | Involvement in optional training or Slack forums | Reflects intrinsic motivation, not compliance pressure |
| Engagement Heatmaps | Scroll depth, time on page, link clicks | Reveals how deeply users engage with training content |
7. Legal Defensibility: Awareness as Risk Mitigation
From a regulatory and legal standpoint, awareness training must not only exist—it must be:
- Targeted
- Ongoing
- Responsive to threats
- Documented
This aligns with:
- GDPR Art. 32: “Training of personnel as part of organizational security measures”
- CCPA/CPRA: “Reasonable security procedures appropriate to the nature of the information”
- NIST CSF: “PR.AT – Awareness and Training domain”
- FTC Safeguards Rule for financial institutions
When your awareness training is designed with intention, documented with data, and adapted to user roles, it strengthens your legal posture in breach response, audits, and litigation.
8. Cultural Wins: Security as a Shared Value
When done well, awareness training transcends compliance and becomes cultural:
- Employees forward suspected phishing to security before it’s simulated
- Design teams request security reviews of new software integrations
- Policy updates are actually read and shared—without mandate
This shift is critical. Culture is the control that can’t be bypassed, exploited, or misconfigured.
Final Takeaway: You’re Not Just Training Users - You’re Designing Experiences
If you're still running awareness like a checklist, you're leaving risk on the table. The future of cybersecurity training lies in design-led awareness, not top-down enforcement.
To build resilient organizations, security leaders must:
- Design like a marketer
- Communicate like a storyteller
- Think like a behavioral psychologist
- Measure like a data scientist
- Act like a partner—not a policeman
Security awareness isn’t an email. It’s a relationship.
Need help crafting security awareness campaigns that actually change behavior—and stand up to legal scrutiny?
Our team builds culture-first training programs, legally defensible simulations, and compliance strategies that go far beyond the checkbox. Designed in collaboration with the experts behind CybersecurityAttorney.com.
Start your tailored security awareness program at SecurityEngineer.com.
Need a Cybersecurity Attorney?
Get top legal guidance in breach response, data privacy, and cybersecurity compliance. Connect with attorneys who know how to defend against audits, investigations, and liability.
👉 Hire a Cybersecurity Attorney