SDSU researchers find most B2B cybersecurity training fails, their LEAN model offers fix

Cyberthreats are a daily reality, yet many business-to-business organizations unknowingly weaken their defenses with ineffective employee training programs according to researchers at San Diego State University’s Digital Innovation Lab (DiLab).

A study from Fowler College of Business management information professors Kaveh Abhari, Morteza Safaei Pour, and Hossein Shirazi, published in the December 2024 issue of MIS Quarterly Executive, reveals cybersecurity readiness programs, specifically within large accounting firms, may be fundamentally flawed — particularly for non-technical employees. 

Despite cybersecurity’s strategic importance, they suggest conventional staff training often misses the mark, overloading employees with redundant, irrelevant, or impractical information.

In response, the researchers introduce a new framework designed to improve training effectiveness, which they call the LEAN Model (Localize, Empower, Activate, Normalize). 

The Problem: Mistraining and Overtraining

Many cybersecurity programs overwhelm employees with excessive or repetitive information with no practical value.

“When training bombards employees with generic cybersecurity lessons, it dilutes their ability to respond effectively to real threats,” said Abhari. “The result? Confusion, disengagement, and ultimately, a false sense of security.” 

Through surveys of non-technical employees at Big Four accounting firms, the researchers uncovered alarming insights: 

• Irrelevance: Employees found training materials disconnected from their actual job functions.
• Tediousness: Many admitted to skimming or skipping content due to redundancy.
• Emotional distress: Some employees feared unintentionally triggering security breaches.
• Hesitancy: Others were reluctant to report threats, fearing potential repercussions. 

“It’s hard to take (training) seriously when it feels like ‘Cybersecurity 101’ for everyone,” lamented one respondent. 

Worse, ineffective training led employees to avoid sensitive tasks, neglect critical security procedures, and even resist digital tools, compromising organizational security and productivity. 

The Solution: LEAN Cybersecurity Training

To combat these issues, the researchers propose the LEAN methodology, a streamlined, role-specific approach that empowers employees rather than overwhelming them. 

How LEAN Works: 

Localize – Tailor training to employees’ specific roles, ensuring relevance and engagement. 

Empower – Designate select employees as cybersecurity advocates, equipping them with the authority and knowledge to act decisively. 

Activate – Integrate cybersecurity best practices into daily workflows, fostering team-based security strategies. 

Normalize – Make cybersecurity a seamless part of routine operations, reducing friction and fear.

“The LEAN model transforms cybersecurity from a dreaded chore into a natural workplace habit,” Abhari explained. “While it won’t turn every ‘weakest link’ into the strongest, it builds a resilient network where each link plays a critical role.” 

Beyond Research: Helping San Diego Businesses Adopt LEAN

Recognizing the urgent need for more effective cybersecurity readiness, Abhari and his team are now working directly with businesses in San Diego to implement the LEAN model. By partnering with local organizations, they are helping companies redesign their cybersecurity training programs, ensuring that employees receive targeted, job-specific instruction that strengthens overall security posture. 

“This isn’t just theory — we’re actively helping businesses put LEAN into practice,” says Abhari. “Our goal is to make cybersecurity training an asset, not an obstacle, for companies across San Diego and beyond.” 

Read the full study in MIS Quarterly Executive, December 2024.