AI-Driven Threats Highlight Critical Gaps in Security Awareness Training Effectiveness
As cyber threats driven by artificial intelligence (AI) become increasingly complex, organizations are recognizing the importance of security awareness training as a vital measure for mitigating cyber risks. Melonia Da Gama, Director of Training and Learning Programs at Fortinet, emphasizes the findings from a recent global study that underscores the necessity of ongoing, measurable training initiatives to cultivate a more resilient workforce.
Evolving Landscape of Security Awareness Training
Security awareness training has transitioned from a mere compliance requirement to a measurable strategy for reducing cyber risks. According to the 2025 Security Awareness and Training Global Research Report, which surveyed 1,850 senior IT and security leaders worldwide, there is notable progress in the field, although vulnerabilities remain.
Awareness vs. Readiness: A Critical Disparity
The rise of AI-driven threats has significantly altered perceptions of cybersecurity among employees and leaders. Nearly 90% of organizations report that the use of AI by attackers has heightened employee awareness regarding the importance of security training. However, awareness does not equate to readiness; only about 40% of leaders believe their employees are adequately prepared to identify, avoid, and report AI-based cyber threats.
In response, many organizations are focusing on training employees in the appropriate use of Generative AI (GenAI) tools, monitoring sensitive data sharing, and establishing formal AI security policies. A vast majority of respondents indicate that they have either implemented or are in the process of implementing security policies for AI and large language model (LLM) tools. The challenge lies in the execution and consistency of these initiatives.
External Threats and Rising Insider Risks
External threats, including past breaches and industry incidents, continue to be the primary motivators for organizations investing in security awareness training, with over 40% of respondents citing these factors as key drivers. However, there is a growing concern regarding insider risks, with more than a quarter of organizations now identifying this as a reason for adopting training—an increase from the previous year.
Training priorities are evolving to reflect this shift. While data security and privacy remain top concerns, the focus on AI-based tools and threats is gaining traction. This alignment indicates that organizations are beginning to connect real-world risks with the content of their training programs, moving away from generic compliance training.
Proven Impact of Security Awareness Training
The report highlights a compelling finding: training is effective. Sixty-seven percent of organizations report moderate to significant reductions in intrusions, incidents, and breaches following the implementation of security awareness training.
Measurement practices are evolving as well. Common indicators of success include decreased security incidents, employee feedback, and security audits. Many organizations are now combining in-person and computer-based training with simulations, assessments, and ongoing reinforcement. This shift represents a move away from one-time training sessions toward programs designed to foster behavioral change and long-term risk reduction.
Challenges in Training Completion and Consistency
Despite improvements in measurement and outcomes, many organizations still face challenges in ensuring training completion. A small percentage report full training completion, and nearly 70% of leaders acknowledge that employees still lack sufficient security awareness.
This gap between investment and outcomes can be attributed to incomplete training, lack of reinforcement, and outdated content that fails to adapt to the evolving threat landscape. The report suggests practical enhancements, including shorter and more frequent training modules, clearer accountability for completion, better alignment of content with current threats, and visible support from leadership. Additionally, the demand for regular micro-training is increasing to keep pace with advancements in AI.
Cultural Shift in Security Awareness
There is a growing recognition among leaders that security awareness should be a shared responsibility across the organization, rather than solely an IT or security function. Most leaders are open to utilizing policy to manage high-risk behavior, particularly when paired with training that clarifies the rationale behind those policies.
This shift is significant. Effective security awareness training transcends mere testing; it aims to influence daily decision-making, reinforce positive behaviors, and mitigate risks in real-world scenarios.
Implications for the Future
The data is clear: security awareness training is effective in reducing incidents. Organizations that invest in and measure their training programs see tangible results. However, the acceleration of AI capabilities among attackers and the increasing prevalence of insider risks present ongoing challenges. Many training programs still suffer from low completion rates and outdated content.
For training to be effective, it must be continuous, relevant, and regarded as a core risk management strategy rather than a peripheral task.
The Fortinet Training Institute aims to assist organizations in transforming security awareness into measurable risk reduction. Through role-based security awareness training, technical certifications, and hands-on learning paths, these programs are designed to enhance employee readiness and strengthen overall security posture.
As reported by www.intelligentciso.com.
