How better learning design creates the behaviour change most programs miss — and what real results look like
The risk isn’t tech… it’s us
In recent weeks, three of the UK’s most recognisable high street retailers — Harrods, Marks & Spencer, and the Co-op — were hit by cyber attacks. These aren’t small operations. These are household names with global reputations, sophisticated infrastructure, and serious security investments. Unfortunately, the impact on their operations and customer data was very real.
And yet, the breaches happened. Not through some clever backdoor exploit or elite-level hack — but through people. A phishing link. A moment of misplaced trust. A lapse in judgement.
It’s a sharp reminder: no matter how strong your firewalls are, human behaviour is still a critical vulnerability.
If retailers of this scale can be compromised, what does that say about the everyday risk inside your own organisation? And more importantly — is your compliance training really preparing people for this?
Knowing the rules isn’t the same as following them
Many moons ago, I had a music teacher who was walking me through some basic jazz concepts when he said something I’ve never forgotten. He said: “You need to know the rules to break the rules.”
He was talking about introducing tension, using notes that technically shouldn’t work, and resolving them in a way that somehow not only worked but worked well. You can’t pull that off unless you truly understand the context and intention behind what you’re doing. That lesson has stayed with me. And it applies just as much to compliance learning as it does to music.
In many organisations, people ‘know’ the rules. They’ve completed the training programs and passed the quiz. But in real-world moments, under pressure or when facing a cleverly disguised scam, they don’t know how to apply them.
Numbers don’t lie, but they don’t protect you either
Despite widespread investment in cybersecurity training, research shows that human behaviour remains the weakest link. The UK Government Cyber Security Breaches Survey 2021 reveals that around 27% of businesses and 23% of charities face cyber breaches weekly, with 83% of attacks involving phishing and 27% impersonation scams.
The training landscape also seems unfortunately bleak. Traditional compliance training often misses the mark. PwC’s 2024 Global Digital Trust Insights survey found that the proportion of businesses experiencing data breaches costing over $1 million has increased from 27% to 36% year-over-year. The survey also highlights key concerns around cloud threats, hack-and-leak operations, third-party breaches, and attacks on connected products — areas where organisations feel least prepared. Importantly, 40% of business leaders say they don’t know how to respond effectively to new and emerging digital threats, underscoring a critical gap in leadership readiness.
But what does this mean for training? Completion doesn’t equal comprehension — and even comprehension doesn’t always lead to action. They say not all heroes wear capes, but when it comes to defending against increasingly sophisticated digital threats, we need well-equipped human responses: people with the right skills, mindset, and judgement under pressure (capes optional, budget permitting).
A false sense of security
For many compliance leaders, the frustration is clear: training gets completed, but it doesn’t translate into real-world impact. The boxes are ticked. But on the ground? The same breaches. The same moments of poor judgement. These aren’t random occurrences, they’re symptoms of a deeper misalignment between what’s taught and how people behave when it matters.
According to Gartner, organisations with a strong compliance culture are nearly 2.5 times more likely to achieve positive business outcomes. Yet, 87% of employees say they don’t work in a strong ethical culture at all, according to the Ethics & Compliance Initiative’s 2023 Global Business Ethics Survey. That gap matters. Because culture is compliance. And when it’s weak, rules won’t transfer to behaviour.
But there is hope. PwC’s Global Compliance Study 2025 found that leading compliance programs are far more likely to tailor their approach to the unique needs of the organisation, leverage data to continuously improve, and benchmark their efforts against industry standards. These aren’t just operational tweaks—they’re vital for reducing risk and fostering a culture of accountability. This isn’t about employees not caring; it’s about making compliance meaningful, connecting policy to real-world challenges, and empowering individuals to do the right thing even when no one is watching.
Purposeful learning design should always be the driver
Real compliance training needs to go further — drawing on insights from behavioural science to influence not just what people know, but what they do. This means designing learning experiences that connect with how people make decisions. It means understanding the learner’s reality: their work environment, their pressures, the shortcuts they’re likely to take, and how compliance manifests in the day-to-day.
Effective training doesn’t just transfer information, it builds habits, strengthens judgement, and boosts confidence to do the right thing. When learning is relevant, interactive, context-aware, and easy to apply, it transfers to how people go about their day-to-day work. It’s not something extra—it’s natural…
Let’s make compliance work. If you’re asking how to reduce risk with better staff training or struggling to shift your compliance learning strategy, you need a fresh perspective on what’s possible. We’d love to share how we’ve worked with the likes of Barrick Gold, International Airlines Group, and Coca-Cola, to name just a few, and shaped strategies that change behaviours and embed compliance in organisational culture.
Get in touch, and let’s turn good intentions into confident actions.
