50 Security Awareness Training Jokes
The security awareness module was 38 minutes long. I was through it in 11. The Next button kept the rest of the time on its own.
I clicked through the slides at the speed of my mouse. The quiz at the end asked me to identify a phishing email. I picked the one with the obvious typo. That was the correct answer in 2018.
The training video opened with a hooded figure typing aggressively at a glowing terminal. The real attacker is in a polo, drinking coffee, using a SaaS phishing kit with a billing page.
The animated hacker had green text raining behind him. I have worked in security for twelve years. I have never once seen green text rain behind anyone.
The phishing simulation caught 47 percent of the company. The email was the most realistic one we have ever sent. We had to apologize to HR.
The phishing simulation caught the CISO. He sent an all-hands email about how anyone can be caught. It was opened by 89 percent of recipients, which is the highest engagement any internal email has ever received.
The training said never write your password down. The IT department gave me 14 different systems, each with a different password policy, and an SSO that covers six of them.
I found a sticky note under a keyboard with a password on it. It was my keyboard. It was my password. I had forgotten I had done that.
The data classification module had four tiers: Public, Internal, Confidential, Restricted. In practice every document is classified as Whatever, because the dropdown is at the bottom of a form and nobody scrolls.
The training explained the concept of social engineering. The example was a man in a UPS uniform asking to be buzzed in. The example has not been updated since 2009. The attacker is now a LinkedIn message.
The tailgating module showed an actor holding a coffee and a pastry while someone holds the door open. This still works. The pastry is the universal access badge.
The clean desk policy module finished and I closed the laptop on three printed contracts and a coffee cup.
I learned about shoulder surfing on a flight. I learned about it from the person two seats over, who was reading my deck.
The training recommended a 16-character password with mixed case, numbers, and symbols, changed every 90 days, never reused. NIST stopped recommending the 90 day rotation in 2017. The training has not received the memo. The auditor has not received the memo. The 90 day rotation continues.
I created a unique 24-character password for the internal expense system. Three weeks later the expense system was decommissioned. I had achieved nothing.
The MFA module said authenticator apps are better than SMS. The MFA the company actually deployed is SMS.
The acceptable use policy is 14 pages long. The quiz on it has five questions. The five questions are the only enforceable bits.
I read the acceptable use policy in full once, as a new hire. It prohibits everything I do daily. I have done it daily for eight years. Nothing has happened.
The training featured a re-enactment of a USB drop attack. The actor picked up a USB drive in a parking lot and plugged it into his work laptop. Every person watching the video has now thought about doing this.
I plugged a found USB into an air-gapped machine to see what was on it. This is exactly what the training told me not to do. The training was correct. The USB had ransomware.
The security culture survey asked: do you feel comfortable reporting security incidents? I answered yes. I have never reported one. The two facts are unrelated.
The training included a section on insider threats. It described a disgruntled employee. It did not mention the employee in question is usually the one being asked to take the training.
Year over year, the security awareness completion rate hit 97 percent. The phishing click rate also did not move.
The training said to lock your screen when you leave your desk. The person sitting next to me has not locked her screen since 2019. She also has not been breached. She is the entire counter-argument to my career.
The lock-screen prank tradition at this company is to email the entire team I love bacon from the unlocked machine. This is now the only security awareness program with measurable behavior change.
The training said do not share passwords. The shared inbox we all use has one password, stored in a Confluence page, edited by 47 people.
The training said do not click links in emails. The training was delivered via a link in an email.
The CISO sent the security awareness reminder from a different domain. It was a legitimate forwarding setup. It was indistinguishable from a phishing attempt. Half the company reported him to the phishing inbox.
I completed the training in 9 minutes and 47 seconds. The certificate said Total time: 38 minutes. The LMS was counting the time the tab was open.
I left the tab open during lunch to inflate my time-on-module. This is the training the training does not give.
The badge tailgating module ended with a five-question quiz. Question three was: Should you hold the door for someone you do not recognize? The answer was no. I will continue holding it. I am not a monster.
The training included a module on Wi-Fi security. It warned against using public Wi-Fi. I have used public Wi-Fi every day this month. The VPN button is right there. I never push it.
The data loss prevention training showed me how to identify sensitive data. The DLP tool then flagged my emails for 14 false positives in one week. I now route around the DLP tool. The training was successful.
The training included a slide on encryption. The slide had a padlock icon. The slide was four bullet points. Nobody has encrypted anything as a result of this slide.
I took the quiz on a second monitor while typing in Slack on the first. I got 4 out of 5. I have to retake the quiz. I will be on Slack for that too.
The quiz allowed unlimited retakes. The correct answers were highlighted in green after each attempt. By attempt three I had achieved mastery without learning anything.
The security awareness team rebranded as the Human Risk team in 2023. It is the same three people. The slide deck has a new color. The training is identical.
I attended the optional lunch and learn on security best practices. Four people came. One was the speaker. One was his manager. Two were there for the free pizza. The pizza was excellent.
The security training has a gamification feature. I have earned 14 badges. I can redeem them for nothing. The leaderboard shows me ranked 312th out of 4,000. I have no idea who ranks first.
The phishing simulation reward for not clicking was nothing. The penalty for clicking was another training. The incentive structure rewards never opening email.
The training said report suspicious emails to security@company.com. The security@ inbox is monitored by an auto-responder. The auto-responder thanks me. The email is then never seen.
I reported an email as phishing. It was a legitimate email from finance asking me to approve an invoice. The invoice did not get approved. The vendor was not paid. The training was a success.
The training said attackers use urgency to manipulate you. The training had a countdown timer in the corner. It expired in 14 days. Then 7. Then the email reminders started.
The training was assigned to all employees including the contractors. The contractors do not have company logins. They had to call IT to get access to complete the training. IT had to give them logins. The logins were the largest security exposure of the year.
I took the GDPR module in 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025, and 2026. It is the same module. I am no fresher. The auditor is satisfied.
The security awareness vendor sent me a Net Promoter Score survey after the training. The survey was a link in an email. I did not click it. The training had worked.
The CFO failed the phishing simulation. The CFO requested that the simulation be removed from her report. The simulation was removed from her report.
The training had a section on physical security. It warned against propping doors open with shoes. There were four propped doors in the office that day. None of them had shoes. The training is behind on the current threat landscape.
The security awareness leaderboard is shared with managers. The top-scoring employee was promoted last quarter. The promotion was for unrelated reasons. The two facts are now permanently linked in his mind.
I have not been phished in 18 months. This is because nobody has tried. I have done nothing to earn it.
Why security awareness training writes itself
Security awareness training exists because a regulator, an insurer, or an auditor asked for it. The line item in the audit report says all employees complete annual training. It does not say all employees retain anything from the training, or behave differently afterward, or click fewer phishing emails. The metric is completion. So the program optimizes for completion. A 38-minute module that 97 percent of the company finishes is a better artifact than a 12-minute one that 85 percent finishes, even if the 12-minute one would have actually moved behavior. The auditor reads the number. The number goes up. Everyone wins, in the narrow sense of winning that audits measure.
The result is a parallel reality where the training describes a 2009 threat landscape (hooded hackers, USB drops in parking lots, badge tailgaters in UPS uniforms) and the actual attack landscape is a phishing kit with a CRM, an MFA-fatigue bot, and a vendor account that got compromised three months ago and is now sending real emails from a real address. The training cannot keep up because updating it costs the vendor money and the customer will not pay extra for updates. The training cannot keep up because the moment it gets specific enough to be useful, it gets out of date the next quarter. So it stays general, which is the same as staying useless.
The interesting question is what to do instead. The honest answer is most of the work is structural, not educational. MFA that uses phishing-resistant factors. SSO that reduces the password surface. DMARC that blocks the spoofs. Browser-level password managers that refuse to autofill on the wrong origin. A reporting button in the email client that is one click and gives feedback. None of these require the user to be more vigilant. All of them work even on a tired Friday afternoon. The training is not nothing. The training is just not the load-bearing part. The load-bearing part is the system that catches the click after it happens.
See also
- 60 Phishing Email Jokes for People Who Almost Clicked the Link: the email that the training was supposed to prepare you for.
- 45 Corporate Training Jokes for Mandatory Compliance Modules: the wider LMS experience this module ships inside.
- 45 Password Manager Jokes for People Who Forgot the Master Password: the tool the training said to use and then did not give you.
- 50 Sysadmin Jokes That Hit Too Close to Home: the team running the phishing simulation that caught the CFO.
- 55 HR Jokes Only Employees Who Have Met With HR Get: the team that owns the training assignment.
- 55 Email Chain Jokes for People Stuck on the Thread: the inbox where the phishing test arrived.
- 65 Corporate Buzzword Jokes for People Who Have Circled Back: the language of the Human Risk team rebrand.
Sources
Authoritative references this article was fact-checked against.
- Security Awareness Report, SANSsans.org
- Awareness and Cyber Hygiene, ENISAenisa.europa.eu