Back to blog Vibrant digital illustration of a tattooed woman with a pink buzzcut in front of a room full of adults on their phones and laptops, the board behind her reads "Security Awareness - Stay Alert!"

Teaching Security Awareness: A Tragicomedy

2025-10-05

There’s a special kind of irony in being the person who now has to teach cybersecurity to the same teachers who once taught me how to teach. That’s a bit of a tongue twister lol

Five years ago, I was standing in front of teenagers explaining Shakespeare and stage directions. Now I’m standing in front of educators explaining phishing and password hygiene. The plot twist no one saw coming—least of all me.

Here’s what I’ve learned from being on both sides of this particular stage.

The Problem With Most Security Training

Okay real talk, most cybersecurity training for educators is either nonexistent or painfully obvious it was written by someone who has never had to:

  • Get 30 teenagers to pay attention during last period on the Friday before a holiday, iykyk
  • Patiently explain the same concept 13 different ways because everyone learns differently and/or they just weren’t listening
  • Make the DRIEST material engaging when you’re competing with phones, group chat drama, and the existential dread of adolescence

Security training materials often read like they were written by someone who thinks teachers have unlimited time, infinite patience, and a burning desire to memorize password requirements.

Spoiler alert: they don’t.

What I Know Because I Used to Be You

Teachers and administrators are not resistant to technology because they’re stubborn or lazy. They’re resistant because

  1. It has to directly benefit them. And “preventing a data breach” feels abstract when you’re trying to figure out how to get the projector to work before first period.

  2. They’re already doing like 8 jobs. Teacher, counselor, nurse, mediator, tech support, emotional support, sometimes literal security guard. Adding “cybersecurity expert” to that list feels like a sick joke.

  3. The training feels condescending. Nothing makes an educator tune out faster than being talked down to about technology by someone who has clearly never managed a classroom of humans with developing prefrontal cortexes.

The Mistakes I Keep Seeing (With Love)

Password Management, or “Why Are Y’all Using Your Damn Dog’s Name?”

The most common password I’ve had to reset? Some variation of the school name plus the current year. The second most common? A pet’s name.

I get it. I really do. When you’re trying to remember 15 different passwords for 15 different systems that all have different requirements, your brain defaults to something memorable. But here’s the thing: if it’s memorable to you, it’s guessable to someone else.

The fix that actually works: Password managers. Yeah, yeah, it’s one more thing to learn. But it’s one thing that manages all the other things. I’ve had the most success with teachers when I:

  • Set them up during onboarding (make it part of the routine and culture)
  • Show them how it saves time (not just “it’s more secure”)
  • Use one myself and can model and troubleshoot in real-time

AI Adoption, or “I Just Wanted Help Writing Lesson Plans”

Unsurprisingly, teachers are early adopters of AI tools—they’re exhausted and anything that saves a bit of time is worth trying. But they’re often pasting student data, assessment results, or confidential information into ChatGPT without realizing that data ain’t private.

This isn’t carelessness. This is desperation meeting convenience.

The approach that works: Instead of saying “DON’T USE AI” (which is both futile and condescending), I’ve started saying “Here’s how to use AI safely.” We talk about:

  • What counts as confidential information (spoiler: almost everything involving students)
  • Free AI tools that don’t train on your data
  • When to anonymize information before using AI

Meeting people where they are works better than wagging fingers.

User Error, or “I Thought That Email Was From IT”

Phishing emails are getting REALLY good. I’ve almost clicked on a few myself, and I literally do this for a living.

Teachers get dozens (hundreds?) of emails a day. Their brains are pattern-matching machines, and phishing emails are designed to exploit those patterns. When you’re rushing between classes, an email that says “ACTION REQUIRED: Update Your Benefits” looks legitimate enough.

What’s actually helped:

  • Real examples from our district (with identifying info removed)
  • A simple “If you’re not sure, forward it to me” policy with zero judgment
  • Celebrating people who catch and report phishing attempts (positive reinforcement works on adults too)

The Neurodivergent Lens: How People Actually Learn

Here’s something my AuDHD brain understands that a lot of security training misses: people don’t learn through fear, shame, or information dumps.

They learn through

  • Stories (that’s why phishing examples work better than statistics)
  • Repetition without condescension (say it different ways, not the same way louder)
  • Immediate relevance (“this protects your personal accounts too, not just school stuff”)
  • Low-stakes practice (let them mess up in training, not in production)

Security awareness isn’t about making everyone a cybersecurity expert. It’s about building habits that become automatic.

Your Actual Action Steps (No Perfection Required)

If you’re an educator reading this and feeling overwhelmed, here’s where to start:

  1. Get a password manager. Start with your personal accounts. Once you feel the relief of not having to remember everything, you’ll use it for work too. (I use Bitwarden. It’s free and works.)

  2. Before pasting anything into AI, ask: “Would I be okay with this being public?” If no, don’t paste it. If yes, paste away. You don’t need to become an AI policy expert. You just need one decision-making filter.

  3. Hover before you click. On your computer, hover your mouse over any link before clicking. Look at the URL that appears. Does it match where it claims to go? This one habit catches 80% of phishing attempts.

  4. Update your stuff. Your phone, your laptop, your apps—when they ask to update, let them. Updates aren’t just new features. They’re security patches. (I know. It’s annoying closing all of your tabs. Do it anyway.)

  5. If something feels weird, it probably is. Trust your gut. Forward suspicious emails to your IT person. We would rather get 100 false alarms than miss one real threat.

The Bottom Line

I’m not going to pretend I have this all figured out. I’m still relatively new to cybersecurity, and I’m definitely still learning how to translate technical concepts into language that doesn’t make people’s eyes glaze over.

But here’s what I know for sure: the best security awareness training doesn’t come from fear-mongering or technical superiority. It comes from understanding that we’re all just humans trying to do our jobs without getting hacked.

You don’t need to be perfect. You just need to be a little more careful than you were yesterday.

And if a former theatre teacher can learn this stuff, literally anyone can.

Liz Gore is the Director of IT for an alternative high school district and a SANS Cyber Academy graduate. She still occasionally misses teaching theatre but appreciates that fewer people cry in IT meetings. Usually.