The Fundamental Importance of Choice and Variety in Security Awareness Program Content


By Perry Carpenter,  KnowBe4 Chief Evangelist and Strategy Officer.

I’m a bit of an oddball when it comes to the security awareness market in that I’ve seen it from virtually every conceivable angle. I’ve:

  • Been the recipient of security awareness training at former employers
  • Designed and implemented security awareness programs at multiple fortune 500 companies
  • Served as the Gartner analyst covering the security awareness market, authoring the Magic Quadrant for the space, advising vendors, and helping security awareness program managers design their programs
  • And now, working within the community of security awareness vendors

Over the nearly 15 years that I’ve been directly involved in building my own program, advising security leaders and vendors, or helping shape the future of KnowBe4, I’ve learned a LOT about what makes a security awareness program viable and scalable for long-term success.

In this post, I’d like to talk about one factor that many people overlook in the earliest stages of program development, but which can become extremely critical once the program kicks-off: choice.

In my former role as a Gartner analyst covering security awareness strategies, I had the honor of personally working with thousands of security leaders around the world as they built-out their awareness and behavior management programs. During that time, I was able to really get my finger on the pulse of the types of things that help security awareness program managers move from a feeling of powerlessness and frustration to feeling and knowing that they are empowered.

There are obviously a number of factors related to being a successful security awareness leader. I’m going to focus on one important factor today: the continued need for fresh, quality, and varied content.

The “Choice” factor

In my experience, no single factor makes people feel less empowered then when they feel like they have a lack of choice. I saw it all the time at Gartner – clients would call asking what the different security awareness vendors had because they felt limited by the content available with their current vendor. This was expressed in different ways. Here are seven examples:

  1. They like the vendor’s style, but feel that the content is dated and stale
  2. They once liked the vendor’s style, but now the corporate culture has moved on and needs something that feels different
  3. The client’s organization is global, and their current vendor doesn’t have the variety needed to support global requirements
  4. They have licensed an overly-limited set of materials from their vendor, and so they can’t easily add new content to their program to address unforeseen needs
  5. The client realized that the style of content offered or purchased only resonates with one type of audience in their organization; and now they feel stuck.
  6. The client has a need to address new regulatory requirements that their current vendor doesn’t cover
  7. The client has a need to cover new language requirements that their current vendor doesn’t cover. Or the current vendor does have the language, but wants to charge an additional fee for the use of the language

You get the picture. In fact, the number one reason that a customer will decide to evaluate other security awareness vendors is frustration with the limitations of their content library. In other words: content variety and choice matter.

For this reason, I always recommended that vendors within the security awareness market offer an “all you can eat” licensing model so that clients will feel the freedom that comes from being able to adapt their content choices as the needs of their program change. I also advised vendors to offer multiple ‘flavors’ and ‘lengths’ of content for the same reason. Doing so reduces unneeded stress and addresses a TON of potentially unforeseen future-arising needs. Choice equals freedom.

Learning from other industries

I’ve always seen security awareness training as a multidisciplinary art that draws from the fields of marketing, design, journalism, entertainment, cognitive science, behavioral economics, and more. We need to understand how people naturally think, behave, express preferences, make choices, and adopt new beliefs if we ever want to be effective in shaping their security-related thoughts and actions.

The biggest problem with the security industry is that we always think we are unique, and so we tend to try to create things without first learning from how other industries have approached similar issues.

I’ve been a big fan of Malcolm Gladwell’s writing and speaking ever since I read his book “The Tipping Point;” and I remember back sometime in the 2004 – 2006 timeframe watching his TED Talk titled, “Choice, Happiness, and Spaghetti Sauce,” where he told the story of Howard Moskowitz, a “food consultant and psychophysicist who has worked with Pepsi and Campbells Soup, among others, pioneered the idea ‘intermarket variability’ — creating many different types of a product to appeal to as many different tastes as possible.”



I encourage you to watch the TED Talk and also read an interview or two where he describes Moskowitz’s approach. Here’s a snippet from an interview with ABC related to education:

"People were who were in the spaghetti business thought there was such a thing as the perfect spaghetti sauce. He was the one who disabused them of that."

Moskowitz, Gladwell says, believed a company producing spaghetti sauce should be trying to understand all the different dimensions of human taste and catering to them.

"How many people out there like there spaghetti sauce thick and chunky? How many like it spicy? How many like it heavy on the meat? How many like it thin, like classic Italian spaghetti sauce, which is very finely grained?" he asked.

"He educated that world about the width and depth of human difference."

As you look at the success of Moskowitz’s clients after taking his advice, it is clear that he was right. One of his mantras with any company he was working with was, “There is no perfect _____ only perfect _______s.” For instance:

  • “There is no perfect Pepsi, only perfect Pepsis.”
  • “There is no perfect Prego, only perfect Pregos.”
  • “There is no perfect pickle, only perfect pickles.”
  • “There is no perfect mustard, there are only mustards that suit different kinds of people.”

Media companies know this as well. Netflix has a ton of variety, but they know that you are only interested in a subset of that. YouTube has a ton of variety, but you self-select the content that you like. The Internet has hundreds of millions of websites, but you self-select the websites that you need based on your preferences and the contexts of life that you are in.

Shouldn’t security awareness content be the same way? When selecting a security awareness vendor’s content, you need to think about these things:

  • Do you (and your users) like the current content?
  • Is there enough content and variety that you can segment and speak in relevant ways to different divisions, departments, regions, languages, learning styles, attention spans, age groups, etc.?
  • Is the vendor constantly adding new content across variety types?
  • Is the vendor constantly updating content?
  • Does the vendor’s content meet your current regulatory and audit requirements? How about those coming down the road in the next 6 – 12 months?
  • Do you need to pay more and enter a new procurement cycle if you realize that you need additional content, languages, etc.?

The KnowBe4 Mission: Empowering Security Awareness Leaders through Choice and Relevance

I realize this is a lot to digest right now. But I wanted to give you a glimpse into why we believe that our creation and continual curation of the world’s largest security awareness library is just what you need. Our Diamond package gives “all you can eat” access to this library for a fraction of the cost that most vendors charge for extremely limited sets of content.

With Diamond you get always fresh content, included in the price. You get a great variety of choice—almost like Netflix—so you can customize as needed to fit different departmental needs, learning styles, compliance needs, or address unforeseen needs for new content.

Given the continued changing landscape of security threats from social engineering, security awareness training is crucial as it gives your organization that needed last line of defense, the human. As each organization has a different culture and maturity level for their awareness programs, it is important to have a variety of materials, to help keep employees on their toes with security top of mind. Our continued commitment is to provide the world’s largest and most complete set of globally relevant security awareness materials.

The KnowBe4 ModStore: Always fresh, always relevant, continually growing

As one example, KnowBe4 recently partnered with Twist & Shout, makers of highly entertaining security awareness films for businesses. Their “Restricted Intelligence” series is highly regarded and being used by many of the largest brands on the planet. And their content has won awards in both the security industry and the communications world.

The videos cover a wide range of social engineering tactics employed by cyber criminals, including 13 modules now available to KnowBe4 customers as part of its diamond-level package. Season 1 video modules will have 32 languages by the end of October.


We added the Twist & Shout training modules to the Diamond level in the ModStore at no extra cost. You can check them out immediately in the KnowBe4 Modstore, no need to talk to anyone. Go to the Search Filters (top right) and in the Publishers section choose Twist & Shout.

Not a customer yet? You can still take a look at the Twist & Shout videos.  Fill out the form and get immediate access to preview this and all the content from KnowBe4:


Or, cut & paste this link in your browser:

Topics: KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews