When Compliance Training Meets How People Actually Work

For years I treated the annual security module as the organisation's way of making sure people knew things — phishing cues, password rules, the approved file-sharing tool. It took a month-end close on a CRM programme to see that the module measures something else entirely. It measures who clicked through before the audit date. The spreadsheet three teams were sharing measured who could get credit-check status to a supplier before the warehouse cut-off. Both were rational. Only one of them was on the dashboard the security team watched.

That gap is where most ordinary risk lives — not in the colleague who "doesn't care," but in the repair people build when the sanctioned path fails the job in front of them.

The Completion Badge — What Training Actually Measures

Walk into most security awareness programmes and the headline metric is completion. In surveys of government awareness professionals, about half ranked compliance — employees finishing the required module — as the top indicator of programme success. Completion rates appear on audit slides. Over two-thirds of organisations lean on completion and audit reports as effectiveness measures; far fewer track incident trends or ask users whether the training changed anything they actually do.

There is a reason the metric persists. Regulatory frameworks need evidence that training happened. Compliance here means audit readiness — proof the box was ticked. That is a legitimate job.

Completion is evidence the module ran. It is not evidence the export finished.

If that distinction feels obvious, watch what gets funded anyway. The refresh cycle optimises for modules everyone can finish. Behaviour change — reporting a suspicious link, refusing to paste client data into an unapproved tool — needs different instrumentation and a longer attention span. NIST researchers Haney and Lutters put the point plainly: requirements set a minimum baseline; simple compliance is not enough for behaviour change.

The Quiet Spreadsheet System — Where Policy Meets the Job

Picture a mid-size retail operation running order-to-cash on an ERP with a CRM bolt-on for credit holds. Month-end, the sanctioned CRM export for "accounts pending credit review" times out after ninety minutes. The job does not fail loudly — it sends an empty file, or the old file from last week. The operations analyst opens the last good export, saves a copy on a departmental file share, and adds a column for today's phone notes. Two colleagues in logistics and customer service paste client IDs from email because the export request ticket queue closes in five business days and the warehouse cut-off is tonight.

Nobody in that chain thinks they are running shadow IT as a hobby. They think they are finishing the close.

This pattern is more common than the industry admits. Write-ups on shadow systems describe the same driver: friction with approved tools, integration gaps between CRM and ERP, and approval cycles that lag the business rhythm. The spreadsheet is not a rebellion against security. It is a quiet spreadsheet system — a parallel record that exists because the official one failed under load.

Training tells everyone not to put client data on file shares.

It does not add retry logic to a report that times out at ninety minutes.

It's Not Defiance — It's a Repair

The surface story says people bypass policy because they undervalue security. Industry surveys put the number high — roughly seven in ten employees admitting they have bypassed a cybersecurity rule, and a larger share saying they would if it helped meet a business target. Read as defiance, that statistic supports another mandatory module. Read on the ground, it often describes a deadline and a tool that did not arrive in time.

Large-scale empirical work on enterprise anti-phishing programmes complicates the "train harder" reflex. An Oakland 2025 enterprise study found no significant association between completing annual awareness training and phishing failure rates; embedded simulations showed a statistically significant effect, but only about two percentage points of absolute reduction. A 2025 reproduction using the NIST Phish Scale across more than twelve thousand participants similarly found negligible practical value from standard training modalities for individual click rates — while organisational patterns of peer reporting showed resilience independent of module scores.

A field study on embedded training argued the benefit may come from periodic reminding — nudging people that phishing exists — rather than from content people rarely have time to absorb. Phishing, in that framing, behaves more like an attention problem than a knowledge gap.

You see the split at the desk: the analyst who completed the module on a phone during a commute is compliant. The same analyst pasting an ID into the shared sheet at 6pm is acting rationally against the cut-off.

Risk research on human behaviour in cybersecurity makes the expectation explicit: some aleatoric uncertainty in human action remains even with good programmes — a zero-percent failure rate is not a realistic design target, and marginal returns from preventive training eventually give way to recovery planning. That is not an argument against training. It is an argument against treating completion as proof the behaviour problem is solved.

The Weakness-and-Reality Audit — Three Desk-Level Probes

When a design lands on my desk — process, tool chain, or policy — I probe it the way production and a motivated insider would, without inventing villains. Three probes, same running example.

Ordinary failure under load. What happens on the worst Tuesday of the month? Here, the export times out silently and the empty file propagates trust in stale data. Training does not add retry logic. Observation beats another slide deck: if month-end produces a file-share spike in client identifiers, you have found a friction signal worth naming before the next audit.

The motivated workaround. Where does someone bend the rule to finish today's task? The logistics colleague pastes from email because the ticket queue is slower than the truck schedule. Tightening DLP on spreadsheets without fixing the export pushes the paste into personal cloud storage or USB — channels with less visibility, not more. The workaround is a map of where policy and job design diverged.

Model drift. Where did the business move on without the policy? Same-day credit checks replaced a forty-eight-hour approval cycle; the policy text and the training scenario still describe the old rhythm. People are not ignoring security. They are following a process the organisation actually runs, which is no longer the one compliance wrote down.

Run those three probes on one workflow you know — order release, vendor onboarding, clinical referral, pick your estate — and you will usually find the spreadsheet before the security incident register does.

What to Watch Before the Next Training Cycle

You cannot policy your way past a tool that does not finish the job. You also cannot spreadsheet your way to zero risk — and a heavier training mandate does not close that arithmetic either.

The honest scope for delivery and analyst roles is observation and naming, not running a CISO programme from a project room. If your retro already names the same workaround every quarter, another generic module is not the missing variable.

Before the organisation buys another hour of generic content, three signals are worth collecting without a vendor RFP:

• Where parallel files appear after batch windows — especially after month-end, go-live, or integration cutovers.
• Which workarounds repeat after every training refresh — repetition means the module is not touching the failure mode.
• Whether compliance tracking itself lives in a manual sheet — NIST's survey of federal role-based training found a substantial share of organisations still tracking mandatory completion in spreadsheets. If the governance layer uses the same repair pattern, that is diagnostic.

NIST's revised learning-program guidance asks for lifecycle metrics and culture change, not a one-shot annual click-through. That is the mature ask. The desk-level ask is smaller and earlier: listen to the workaround as data, fix friction where you can, and stop treating the completion badge as a behaviour score.

Most compliance training is doing exactly what it was built to measure. The spreadsheet is doing what the job required. Until those two stories converge, the gap between them is the risk you actually own.

Most organisations will keep the annual module — auditors expect it. Before the next refresh lands, look at one shared file and ask what job it is doing that the approved system would not.

That question is boring. It is also where security as human behaviour begins.