In an era where cybersecurity threats are becoming more sophisticated and frequent, organisations have been investing heavily in cybersecurity awareness programmes. However, many of these initiatives fail to achieve the desired results. Employees often view them as tedious, complicated, or irrelevant to their daily responsibilities. An innovative alternative to traditional methods is the flipped classroom model, which encourages active participation and engagement, shifting learning dynamics. We spoke with Alexandre Pluvinage, Head of Fraud and Online Security Awareness at ING Belgium, to explore how flipped classrooms could raise cybersecurity awareness more effectively in organisations.
Could you briefly explain why traditional cybersecurity awareness programmes often do not produce the desired results?
Alexandre Pluvinage: ”A study done at the ULB indicated that the key success factors for changing behaviour on cybersecurity are management support and employee participation. Meaningful engagement is precisely what many cybersecurity awareness programmes struggle to create. Employees are often passive recipients of information, which makes it hard for them to internalize key security practices. The messages can seem complicated or irrelevant to their specific roles. You’ll often hear things like, “This is too technical” or “Cybersecurity is IT’s job, not mine.” People also feel it’s not their problem when it’s not directly tied to their performance indicators. The result? Low interest, low retention, and consequently, minimal behavioural change.
How can the so-called flipped classroom approach change this dynamic?
Alexandre Pluvinage: “The flipped classroom is an instructional strategy where the traditional learning model is reversed. The concept was already used in ancient Greek times. The idea is that the teacher is a coach and helps the students to organize the class themselves. In a corporate setting, instead of passively receiving information in a session, employees engage with learning material—videos, articles, or other content—outside of class time, like homework. They apply this knowledge through active, problem-solving exercises and campaigns with guidance from an instructor or mentor.
It’s not complex to apply this concept to the topic of cybersecurity awareness. In fact, this method allows employees to explore cybersecurity concepts at their own pace and come prepared to actively discuss or solve real-life problems in the workplace. It creates ownership and personalizes the learning process, which makes it much more effective.”
So, how would a flipped classroom work specifically for cybersecurity in an organisation?
Alexandre Pluvinage: “In a flipped classroom programme, the organization would provide employees with a number of cybersecurity topics — whether it’s data protection, phishing, or password security. Employees then perform their own research, watching videos on, say, multi-factor authentication (MFA) or reading articles on recognizing phishing attempts.
Then, they are supported to get actively engaged in the topic. For example, they might work in teams to create campaigns to raise phishing awareness within their departments or evaluate a fake phishing email and discuss how they would respond to it. They work on messaging, creative concepts and how to run and evaluate a campaign about the topic.
You can set up a content or campaign calendar throughout the year, having different departments – sales, marketing, finance,… – tackle different topics every month or quarter.”
What are the key benefits of this approach?
Alexandre Pluvinage: “First, it promotes active learning. Rather than being passive participants, employees take control of their learning process by researching and understanding key cybersecurity concepts ahead of time.
Second, it fosters collaboration and problem-solving. Employees work together to solve problems, which enhances their engagement and retention of the material. They’re more likely to remember lessons learned through action than through lectures.
Third, it shifts the focus from merely raising awareness to actively changing behaviour. A flipped classroom empowers employees to not only understand cybersecurity risks but also take responsibility for mitigating those risks within their roles. It transforms cybersecurity from being seen as an IT issue to being a shared responsibility across the organization.
And finally, for an organization it is relatively easy to set up and manage. You provide the topics and support throughout the process and help with validation of the work.”
About setting things up, what would be a good step-by-step approach?
Alexandre Pluvinage: “Well, it’s not rocket science at all. The first step is to build a yearly plan tailored to the organisation’s needs, with clear topics and goals. This is not new either, as the risks are usually well known. Next, you need management buy-in, either through a pilot programme or a full-scale launch, to ensure leadership is on board. As mentioned before, this buy-in is really key to success. Then, recruit or assign teams by finding 3-5 volunteers per team who will champion the programme within their departments. Once the teams are set, you apply the plan, allowing employees to take charge of awareness creation. Finally, you measure the results, adapt based on feedback, and celebrate successes by publishing results, and even awarding prizes for the best campaigns, most creative efforts, and the most secure teams.
Are there specific types of organisations where this approach is especially useful?
Alexandre Pluvinage: “The flipped classroom model, while still a ‘new’ or better ‘rediscovered’ concept, can be effective across industries, from small and medium-sized enterprises (SMEs) to even large corporations. However, it might be particularly useful for SMEs where cybersecurity training resources are often limited. In larger organisations, it may be more difficult to implement, but certainly not unfeasible. I believe organisations should try it and evaluate how it turns out.”
Is the flipped classroom not yet another way of chasing the holy grail?
Alexandre Pluvinage: “You make a valid point, but what is the alternative? All the actors involved are doing their best and still the numbers are rising. Why is that? Because of people. We are still giving devices to people without knowing that they are capable of using them securely. So, maybe it is time to make everyone responsible. What we’re clearly not doing enough now is changing the culture of organisations. We must integrate security in all areas of the business, make it visible and part of the way of working. Look at the concept of innovation. Innovative companies stimulate innovative thinking among employees, but they don’t train them in innovation. It’s a way of thinking, it’s a culture. We need to work towards a security culture as well. Even if we’re still far from it, a concept like the flipped classroom is certainly worth undertaking, as a complementary approach to other initiatives.”
