Focus on rewards as well as training: Many organizations implement training programs and awareness campaigns to instill cybersecurity values. Those are important to set a baseline, but they aren’t enough. We asked employees what they remembered from their training or awareness campaigns. Often, employees could only tell us when they had their latest training class, not what they learned. They had only done the class (usually online) because it was required. They often were doing their email or other activity on the side, because the training happened when the organization needed them to do it, rather than when it was the optimum time for the employee. Little wonder that long-term retention was low or nonexistent.