From Power Users to Protective Stewards: How to Tune Security Training for Specialized Employees

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.The best security training programs build strong security culture by focusing on high-risk groups, including developers, executives, and finance pros.October 29, 2025One of the biggest mistakes that low-performing security education programs make is treating security awareness training as if every user impacts security in exactly the same way. Everyone gets the same exact training, no matter their role or knowledge base.But the truth of the matter is that certain power users and certain roles in the organization are going to bring significantly more risk to the table, simply as a function of what they do and the systems they use. Whether they're C-suite executives, developers, DevOps pros, or finance professionals, these specialized and privileged users have access to some of the most sensitive data, and they're also much more likely to use emerging technologies in their daily workflows. Effective end-user security awareness training programs turn these power users into what some experts refer to as "protective stewards.""Protective stewards are the users that are doing all they can to help defend the organization," says Matthew Canham, Ph.D., executive director of the Cognitive Security Institute. These are the employees who not only avoid falling victim to attacks but also proactively report suspicious activity to security, he explains. The first step in transforming high-risk employees into protective stewards is recognizing the importance of personalized training. Next-level security training programs never deliver one-size-fits-all content to their users. Highly effective training is highly personalized.Related:From Chef to CISO: An Empathy-First Approach to Cybersecurity Leadership"Personalized means that everybody has their own training program that's dynamic, updated according to what their job roles are, what their abilities are, and what the latest threats are to people in their position," Canham says. For example, a finance employee may require additional specialized training to recognize business email compromise tactics, whereas developers need to be trained on secure coding as well as how to securely provision systems, manage secrets, and apply agent-based artificial intelligence (AI) to their daily workflows.The National Institute of Standards and Technology (NIST) Phish Scale offers a great example of one small but manageable way organizations could get started tailoring training and efficacy measurement to specific user groups, Canham says. This tool factors the content and context of phishing mechanisms and can help organizations customize phishing training and simulations to different user groups."Not only are you looking at cues in that attack, but you're also looking at how closely that attack or that phishing email aligns with that target," he explains. "Somebody in HR is not going to respond to the same types of phishing emails that somebody from customer service or sales will.”Related:NIST Enhances Security Controls for Improved PatchingNot only should content be personalized, but so should training delivery mechanisms, says Jason Nurse, Ph.D., director of science and research at CybSafe. High-performing organizations need more choices and more personalization because some employees may learn better through text than video, for example. He explains that advanced training professionals are starting to take a page from marketers' playbooks to provide more personalized messages in a range of different training mechanisms. "Tailoring things is really important to consider when we're engaging individuals to try to get them to change their behavior," says Nurse, a reader in cybersecurity at the University of Kent.The trick, though, is learning how to balance the pursuit of personalization and user-specific training with respect for users' privacy and also the law of diminishing returns, says Margaret Cunningham, Ph.D., a behavioral scientist and vice president of security and AI strategy at Darktrace. "Beware of overengineering human risk programs. Deep profiling and collecting personal data to predict susceptibility is not only privacy-invasive but also ineffective," says Cunningham, whose doctorate is in applied experimental psychology and who has many years of experience in behavioral interventions for security operations. "There will always be situational factors that no sensor or algorithm can capture."Related:When One Hospital Gets Ransomware, Others Feel the PainHighly effective human risk management programs bring a broader scope of training to users outside of the old standards of phish prevention and increased multifactor authentication (MFA) adoption. Employees engage in numerous other behaviors that could be adding to cyber-risk. Aligning security training to that reality is crucial — especially when it's directed at employees in high-risk positions.Advanced security training programs widen the lens to include training around other impactful behaviors, such as how financial employees handle regulated data, how IT ops configures cloud stores, or whether employees with access to sensitive facilities allow people to tailgate when they badge into a door. Nurse says his team at CybSafe has been advocating for this for years, but part of the difficulty they face is that many security awareness training programs are one-trick ponies.  Managing actions like avoiding phishing clicks or turning on MFA is dead-simple compared to, say, getting executives not to use untrusted networks when they're traveling."Because they're easy doesn't necessarily mean they should be relied on forever, though," Nurse says. "There are at least 101 different behaviors that we believe people need to measure, think about, focus on, or consider in some way as it relates to the human aspect of cybersecurity."The CybSafe team has been trying to help push the industry in this direction by standing up and investing in the development of an open source security behavior database called SebDB, which maps user behaviors against impacts, threat actor tactics, and security frameworks like MITRE ATT&CK. The goal is to provide open access to a standardized framework that can start getting human risk programs keyed around a broader set of behavioral objectives.Great training content and messages are one thing, but to really build a culture that fosters risk-averse behavior, an organization needs to buttress those messages with behavioral supports. "The future is coordinated, resilient human/tech systems: least privilege, safe defaults, error-tolerant architectures, and low-friction reporting," Cunningham says. "Pair that with a culture that rewards near-miss reporting and treats mistakes as learning moments, not failures."Organizations should be building the right guardrails directly into systems to make it as easy as possible for users to make secure choices in how they interact with their systems, their accounts, and their data. "Awareness is very important, but awareness is only a component of behavior change," Canham says. "There are certain instances where technical controls have to be put into place."This is what helps fill in the gaps between what Canham refers to as mistakes versus slips, based on a longstanding human error model developed by psychologist James Reason for the aviation industry."Mistakes are based on faulty mental models of situations — this is where awareness training can help. But slips are things like walking in the room with trash in one hand and keys in the other and accidentally throwing your keys away in the garbage and putting trash on the counter," he says. "Training will never do anything to prevent slips, and this is where technical controls are so, so important.”Guardrails are especially crucial for developers, IT operators, and DevOps teams that are managing sensitive systems in fast-paced environments. This has been the case for a long time now, but the situation is exacerbated by the fact that they're now being tasked with using AI agents to make their work more efficient. AI agents independently take actions that could have huge impacts on the security and resilience of systems. Well-trained employees can become the eyes and ears for an organization to quickly respond to fast-moving threats — as long as it provides them the means and the motivation to report on potential security issues. "One of the most common complaints that I get from protective stewards is that they will give feedback to their security departments, and then it's like it just goes into a black hole," Canham says.Just like with a vulnerability disclosure program, it's not good enough to simply stick a reporting email on a website and call it a day. Great security teams need to have people tasked with reading these messages, responding to them, and routing these issues into the detection and response team's workflow. And to make it truly a circular feedback loop, the information fed to the security team from users in specialized vantage points — be it development, finance, or the CEO's corner office — should be baked into threat intelligence that drives future technical controls and tomorrow's wave of security training content.Ericka Chickowski, Contributing WriterEricka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.2025 DigiCert DDoS Biannual ReportDigiCe