Their use of easily guessable passwords is on the rise (think of the classic “password123”). That’s not what we want. Bad actors love it when we make it easy for them. Use of MFA, another hard-to-grasp, cryptic acronym for multifactor authentication, is falling off, like a boulder cleaved from a mountain. We are now seeing the same downward spiraling for backing up data, installing software updates, and accessing security training – down, down, and down. 

“It’s not a pretty picture,” said Lisa Plaggemier, executive director of the National Cybersecurity Alliance, during NCA’s Convene conference in Clearwater, Florida, on March 3, 2026. “We need to take a different approach in how we motivate and inspire people. Our training is neither fun nor relatable. The overall trend shows a significant increase in fatalistic attitudes toward both financial and data loss.” 

The NCA worked alongside TIAA’s Cybersecurity Awareness Team to consider the issue and potential solutions in this article.  

In her event-opening remarks, Plaggemier cracked open all this sobering news emanating from the NCA’s annual survey of more than 25,000 adults. Findings have been summarized and analyzed in a new report, the Oh Behave Cybersecurity Attitudes and Behaviors Report 2021-2025. 

Cybersecurity awareness is generally up. But the use of online safety and the confidence that security basics are worth doing have fallen across multiple dimensions. There’s a looming and serious question: “Is cybersecurity worth my time?  

The underlying message consumers are communicating is this: “Just because I’m aware doesn’t mean I care.” 

As concerning as it is, it’s what we must face, accept, and uplift. 

Sobering stats: cybersecurity confuses and overwhelms 

You don’t have to dig around much in this report to uncover concerning stats that make you wonder, “Should cybersecurity awareness be completely re-imagined because it’s not working?”  

Let’s zero in on some of the most dramatic from the new Oh Behave report:

• A “worrying” rise in “security fatalism,” the belief that efforts are pointless because data is already online and therefore makes us feel less secure; this “fatalism” reached 34% in 2025 from 22% in 2023 

• Confusion about how to interpret and follow security information climbed from 39% in 2021 to 45% in 2025 

• People minimizing protective actions jumped from 34% in 2022 to 43% in 2025 because they feel overwhelmed by all the cybersecurity training and constant reminders 

• Security information is so complex that it’s leading to rampant rates of confusion – attaining 45% in 2025 from 39% in 2021; similarly, those feeling overwhelmed totaled 43% in 2025, up from 34% in 2022 

• Regular MFA use plummeted from 94% in 2022 to only 53% in 2025; a growing percentage of respondents believe their passwords are strong enough, so they chose not to use MFA 

• Use of passwords including easily guessable personal information (e.g., pet names, birthdates) has consistently risen during the past four years; this unadvisable, high-risk behavior rose from 25% in 2022 to 37% in 2025 

• People who “always” check messages (such as emails for phishing attempts) fell from 51% in 2021 to 36% in 2021. Why? because a growing percentage don’t believe checking messages helps stop cybercriminals, escalating from 44% (2022) to 68% (2025) 

“It seems that the primary challenge isn’t people’s intentions but the complexity, cost, and psychological fatigue imposed by the security environment, which is pushing many people toward tuning out of security despite their initial motivation,” according to the report. “The findings paint a sobering picture: the problem isn’t that people don’t understand cybersecurity’s importance, but that the complexity, cost, and cognitive burdens of today’s security environment are driving them toward apathy despite positive intentions.” 

Over the five years, there has been a “negative shift” in security psychological experiences. Nearly half of the survey respondents are apathetic and inactive regarding cybersecurity. 

How to reverse these trends 

During a webinar on March 11, Plaggemier offered ideas and encouraged cyber pros to join her in thinking up ways to reverse these trends. She believes there’s a need to make cyber awareness more entertaining, fun, surprising, engaging, personalized, and humanized. Put another way, make it not boring, less predictable, and non-repetitive. Dazzle. Entertain. Call misdirection plays to grab attention. 

She believes cybersecurity behaviors and awareness need to be “as easy as possible, to solve the disconnect of people being aware of cybersecurity but not taking actions to strengthen it. One-size-fits-all is probably not enough. Personalized training for different age groups would likely be more effective. We’ve got to get different messages into people's hands and take a very different approach. Creating more storytelling is one way to do that.” 

During the Convene event, several speakers shared techniques that have helped them execute effective cyber awareness programs, like: 

• Not just telling people about the best practices; rather, involving them. Think of the evolutionary progress flowing like this: “Tell me, OK; show me, that’s good; involve me and you’ve won me over. I’m sold.” 

• Gamify – for whatever reason, many people love to play games; so give them games, and they love awards and badges; shower them with those also 

• Give trainees immediate and more frequent feedback on their cyber performance behaviors; in-the-moment, specific, and direct – don’t wait until Cybersecurity Awareness Month to tell them 

• Establish independent, customized learning paths for each individual; people don’t resonate with generalized training that doesn’t directly relate to their work and daily lives, so treat them as unique people with idiosyncratic needs 

Always remember, cybersecurity is a team sport. And if you want more tips and tricks to get people to care, sign up for the NCA’s free email newsletter!