Introduction

Training works; But the work is never done

The 2025 Security Awareness and Training Global Research Report reinforces two key findings from the past couple of years – that organizations see knowledge and skills as crucial to cyber defense, and that training must adapt continually as threats and risks evolve, especially when AI is involved.

Our 2025 findings show that organizations continue to see security awareness and training as important and that external threats are still the main motivator for undertaking security awareness and training programs.

As they have in previous years, leaders remain committed to security awareness and training, recognizing the need and building it into corporate priorities. Yet many continue to feel that their workforces are unprepared to fend off cyberthreats, despite concerted efforts to raise awareness and provide security training. The following pages explore possible reasons for this mindset, from the constant evolution of threats to rates of training completion, to issues with training content.

In 2025, we broadened the scope of our Security Awareness and Training survey, asking new questions and diving deeper into areas such as preferred training modalities, how organizations are measuring the effectiveness of training initiatives, and employee perceptions of cybersecurity as a shared responsibility.

We also added a new section to the report – first introduced in our 2025 Cybersecurity Skills Gap Global Research Report – Taking Action.

Fewer than half (40%) of respondents say employees are highly trained and ready to identify, avoid, and report AI-based cyberthreats.

AI is reinforcing the value of security awareness and training

As organizations continue to adopt AI tools – and as threat actors increasingly use AI for malicious purposes – employees and leaders recognize the dual need for greater awareness of AI risks and more training in how to deal with those risks.

The overwhelming majority (88%) of respondents to our 2025 survey say that the growing use of AI by bad actors has either somewhat or significantly influenced employee perspectives on the importance of security awareness training. Yet despite being highly aware of the rising threat of AI, leaders aren’t especially confident that their employees are equipped to meet it.

Just 40% of survey respondents consider their employees to be highly trained and ready to identify, avoid, and report AI-based cyberthreats in the next 12 months. Fifty-eight percent (58%) describe their employees as being either moderately or slightly prepared.

A silver lining is that only a very small portion of leaders (2%) believe their employees are not at all ready to face AI-driven threats.

The AI Alarm Bell

Most respondents say knowledge of AI threats has either significantly or somewhat increased employee perceptions of the importance of security awareness and training.

Organizations are acting to safeguard against AI risks

AI use needs to be managed

Organizations are taking concrete steps to manage employee AI use, including:

• Training employees on how to use AI tools properly (53%).
• Using technologies to monitor or block the sharing of sensitive information with AI tools (53%).
• Implementing policies for AI tool use (48%).
• Maintaining authorized app lists (45%).

AI tools need to be secured

The majority are also taking steps to manage AI tool security:

• 96% of respondents indicated that their organization either has measures in place or is in the process of researching or implementing measures to test and validate the security of deployed AI and large language model (LLM) tools. (Of that 96%, 68% have already implemented such measures.)
• 96% have implemented or are in the process of implementing security policies for GenAI apps and other AI tools.

AI training adoption is fairly consistent across organizations of all sizes

AI training adoption is broadly similar across companies of all sizes, with a modest uptick among organizations with 5,000+ employees.

• 5,000+ employees – 57%.
• 2,500 to 4,999 employees – 55%.
• 1,000 to 2,499 employees – 52%.
• 500 to 999 employees – 49%.
• 100 to 499 employees – 52%.

53% of organizations train employees on proper use of GenAI tools.

Regional Highlights

AI-driven security awareness varies by region, with Europe, the Middle East, and Africa being the lowest

Workers in North America are most likely to see security awareness and training as important due to the growing malicious use of AI.

North America is most confident about dealing with AI threats

More respondents in North America say employees are trained and ready to identify, avoid, and report AI-based cyberthreats over the next 12 months than in any other region.

Asia Pacific organizations are the most likely to train users on AI tools

While no region reports especially high user training on AI tools, Asia Pacific leads the way at 59%. Latin America is the only region to come in at less than 50%.

Taking Action

Organizations are still very much at the learning stage when it comes to managing AI-related risks. For example, fewer than half (42%) of those surveyed say they have tools to monitor employee AI use.

AI training is needed

This can be done in several ways, including by holding AI training more regularly and providing brief refresher sessions, or by offering microlearning or on-demand resources as required by employees to stay current on evolving AI threats and best practices.

Guidance on AI use is also required

It is important to provide up-to-date AI guidance and policies that help employees understand and follow the best practices for using, selecting, and engaging with AI vendors and third-party AI technology providers. Such guidance should clearly outline data types and classification levels, provide information security and legal/ privacy criteria, and list approved AI vendors and providers.

AI governance policies need continuous monitoring

Implementing policies alone is not enough in the ever-changing world of AI. Organizations must also monitor and revisit those policies continuously to keep pace with shifts in technology and regulations.

41% of organizations say external threats were the core driver for adopting security awareness and training.

External threats are driving adoption, but internal risks are a growing concern

Potential threats, past breaches, and breaches in the same industry were the biggest motivators of increased security awareness and training in 2025 (41%). This is down from 52% the year before, though the addition of new options related to internal drivers could account for the decline.

Twenty-seven percent (27%) of respondents say they adopted security awareness and training to protect from insider risks. Insider risks include corporate sponsorships, past or potential insider breaches, and concerns that internal users could contribute to a data breach or disclosure. This is a jump from just 4% in 2024 which suggests organizations are more attuned to insider risks – and see them as addressable with greater awareness training, though the addition of new insider risk options within the survey may account for the dramatic jump.

Respondents list personnel limitations (34%), budget constraints (19%), and other security priorities (18%) as their top reasons for not adopting security awareness and training previously. The main priorities that tend to push security awareness and training to the backburner are operational and production efficiency initiatives (47%), other training and development (44%), digital transformation and technology upgrades (43%), cybersecurity and data protection (42%), and infrastructure and IT modernization (41%).

For many organizations (51%), data security continues to be the most important security awareness and training topic, followed by data privacy (43%), and AI-based tools and threats (41%). This priority seems to be reflected in the types of training that are delivered, with 50% of respondents reporting training on data security, 43% on data privacy, and 42% on AI-based tools and threats.

Top topics for security awareness and training

The addition of new options to the list in 2025 shifted some year-over-year weightings, but data security and data privacy are still seen as the two most important topics to be covered by awareness programs and security training.

The topics trained on in security awareness clearly align with the key topics that need to be covered.

Leaders and employees continue to see value in security awareness and training

Support for security training is widespread

Responses in 2025 about support for training remain in line with 2024:

• 88% of employees see security awareness and training positively (86% in 2024).
• 95% of corporate leaders support security awareness and training to a certain or large extent (96% in 2024).
• IT leaders (56%) and security leaders (51%) are the top champions of security awareness and training, followed by CEOs (41%) and CTOs (33%) – all in line with 2024.

New training topics rank highly

When identifying the most important security awareness and training topics, respondents’ choices included the following new options in 2025:

• AI-based tools and threats (41%).
• Cloud and application security (33%).
• Information security concepts (29%).
• Reporting incidents and suspicious activity (23%).
• Physical security (16%).

Satisfaction with training is generally high

85% of decision makers say they’re somewhat or very satisfied with their current security awareness training solution (86% in 2024), though some have reservations:

• Of those not satisfied, the top concern was missing important topics (28%, new in 2025).
• Other sources of dissatisfaction are unengaging content (21%) and multilingual availability/language support (18%, new in 2025).
• A third new option, ranking fourth, was ‘content is not easy to understand’ (13%).

88% of employees see security awareness and training positively.

Regional highlights

The threat of a breach is a top motivator in Europe, the Middle East, and Africa, and in Latin America

North American respondents were least likely to say they adopted security awareness and training out of concern about breaches.

Limited personnel is a significant obstacle to adoption in Asia Pacific

Organizations in the Asia Pacific region were much more inclined to cite human resource constraints as the top reason for not adopting security awareness and training sooner.

Organizations in North America are most satisfied with their current solution

Respondents in other regions are likelier to say they had some dissatisfaction with their current security awareness and training solutions.

Taking Action

Previous security awareness and training surveys have shown consistently that quality training content matters –and is important to organizations. Yet that doesn’t necessarily mean all organizations have a clear sense of what ‘quality’ looks like.

Quality training needs to be relevant and effective

Relevant cybersecurity training addresses the risks that users face in real life and emphasizes the biggest and potentially most harmful threats. Quality training uses scenarios, media, and interactive elements to engage learners and accommodate different learning styles; is delivered in multiple languages; and provides the information and education required to teach all students how to recognize, assess, and respond to threats.

Measurement is critical

Learning should be measured with assessments and tests. Track completions as well as behavior changes, such as phishing click rates, security tool uptake, and the number of incidents.

Timing matters

Timing and timeliness are also important. Deliver training regularly – at short intervals, not just once a year – and reinforce it with reminders, simulations, and microlearning. Update training regularly to match changes in technology, policies, and threats, and to ensure new, important, and high-priority topics aren’t missed.

Cyber awareness is cultural

The goal of awareness and training is not just to inform: It is to effect change and build a culture of security awareness. This goal should extend throughout the organization from leadership on down. Organizations should encourage their employees to see security awareness training as a tool that helps them protect themselves and the company rather than a compliance box that must be checked.

67% of organizations have seen a reduction in intrusions, incidents, and breaches since implementing training.

Organizations are seeing real results from security awareness and training

An encouraging insight from our 2025 survey is that many organizations are using a mix of indicators to measure the effectiveness of security awareness and training, with a clear majority (67%) saying they’ve seen a corresponding decline in intrusions, incidents, and breaches.

The most common measure of training effectiveness is reduced security incidents (53%). Also common are employee feedback (52%), and security audits (50%). Slightly lower but still significant, 42% of respondents say they evaluate effectiveness by tracking the completion rate for security awareness and training. This has some interesting implications, because only 6% of organizations report 100% training completion. Just over half (56%) report completion rates greater than 70%, which is the mean average.

These lower-than-100% completion rates may hold part of the key as to why, despite corporate efforts, many leaders (69%) still feel employees lack cybersecurity awareness (a point that will be elaborated on in the next section).

Organizations do seem to recognize that targeted training is more effective. Eighty-eight percent (88%) provide training that is tailored to specific groups of employees, with 64% focusing on groups that are targeted more often and 58% focusing on individuals who seem to have the least security awareness or knowledge.

Mixing measures and modalities

Organizations use a wide range of measures to determine the effectiveness of security awareness and training. They also employ a blend of training modalities, with in-person and computer-based training most common (53% and 52%, respectively).

Many organizations have good training discipline

Regular training sessions are common

94% of respondents say they hold security awareness and training sessions on a regular basis:

• 46% hold training quarterly (47% in 2024).
• 32% hold training monthly (34% in 2024).
• 16% hold training annually (15% in 2024).

Many plans for training campaigns

Planning of security awareness training campaigns is on the rise:

• 35% conduct planned campaigns quarterly (down from 45% in 2024).
• 22% conduct planned campaigns annually (down from 30% in 2024).
• 16% plan campaigns for Cybersecurity Awareness Month (October).

Organizations favor 2-3 hours of training per year

45% of decision-makers say 2-3 hours per year is reasonable for security awareness training (up from 31% in 2024). Other durations include:

• Up to 1 hour per year (7%, down from 9% in 2024).
• 1–2 hours per year (31% – down from 34% in 2024).
• More than 3 hours per year (16% – down from 25% in 2024).

94% of organizations hold regular security awareness training for employees.

Regional Highlights

North American organizations are most likely to report reduced incidents after training

More organizations in North America report moderate or significant reductions in security intrusions, incidents, or breaches compared to other regions.

Most regions use security incidents, employee feedback, and audits to track training impact

Reduced security incidents measures the lowest in Europe, the Middle East, and Africa.

Organizations in Europe, the Middle East, and Africa are least inclined to run training programs monthly or quarterly.

Those in North America and Latin America are most likely to run training programs monthly and quarterly.

Taking Action

Measurement shows training works, reducing the occurrence of incidents in many cases. Yet making training available is just the start. Seeing it through and choosing the right formats are also critical.

Finish what you started

Since completion rates are well below 100%, a straightforward way to strengthen security posture would be for organizations to make completion mandatory – encouraged with incentives or recognition for early, successful completion, team-based goal setting, and the use of progress dashboards. Accurate reporting on who has completed training and who has not allows organizations to issue reminders to help trainees get to the finish line. These reminders can be automated for convenience.

Train in sprints

Breaking training down into less time-intensive but more frequent modules can make it easier for trainees to complete. It also affords more opportunities for the reinforcement of learned skills and concepts. While the research literature is not conclusive, the unofficial consensus is that 5-15 minutes per topic is a good duration for self-paced compliance training. Research also indicates that interactive and engaging content such as videos, scenarios, knowledge checks, and quizzes help with understanding and knowledge retention.

Lead by example

A conspicuous and enthusiastic endorsement by leaders and executives can demonstrate that the commitment to training is top-down and organization-wide.

69% of leaders say employees lack security awareness.

Despite making gains, more training is needed

While organizations are clearly implementing, measuring the outcomes of, and seeing results from security awareness training, 69% of leaders say employees lack knowledge of security awareness – virtually unchanged from 67% in 2024.

Reinforcing that finding, the vast majority of decision-makers (95%) say their leadership supports that more security awareness would help reduce cyberattacks, a result that’s basically identical to 2024 (96%). No single data point explains the persistent concerns about employee awareness, but there are a few clues across our 2025 findings.

First, leaders seem to appreciate that training can easily fall behind developments in the threat landscape. The degree of worry about AI as an emerging risk points to this. Second, with 93%of employees not fully completed training, organizations may be missing out on the full benefits of the programs they implement. And while respondents are largely satisfied with current training programs, content concerns could point to the need for quality improvements.

A new finding is that 70% of leaders say employees see security awareness as a shared responsibility. Yet 26% say employees don’t always act on their belief that security is important. That is a significant enough gap for threats to slip through, reinforcing the need to doubledown on security principles and practices.

One bright spot has to do with spoofed emails. Seventy percent (70%) of respondents say they think their users have either a good or very good ability to identify a spoofed email – a clear example of how security awareness and training reduces risk.

Spoof-spotting remains strong

The majority of survey respondents say users have either a good (47%) or very good (23%) ability to spot spoofed emails, virtually identical with 2024.

Leaders continue to seek new tactics

Spoof-spotting is strong despite fewer campaigns

Phishing campaigns were much less common in 2025:

• Organizations using phishing simulation campaigns as part of security awareness training decreased in 2025: 73% versus 86% in 2024.
• That said, more organizations plan to implement phishing simulation campaigns in the next year: 23% in 2025 versus 12% in 2024.

Policy is seen as a potential security tool

Leaders believe policy can be a tool to manage high-risk behavior:

• 95% would be interested in applying stricter cybersecurity policies to users who show high-risk behavior (94% in 2024).
• Only 3% say they would not be interested (4% in 2024).

Security awareness knowledge varies by sector

Organizations in certain sectors are more likely to say employees lack knowledge of security awareness:

• Power and energy – 76%.
• Healthcare – 75%.
• Retail, financial services – 74%.
• Those in the technology sector are most likely to say employees do not lack.

Regional Highlights

Concerns about security awareness are highest in Latin America

Latin American organizations are most likely to say employees lack security awareness.

All regions believe more awareness is better

Respondents in all regions agree that greater security awareness would help decrease intrusions, incidents, and breaches.

Not all regions hold the same views of ‘shared responsibility’

Latin American respondents are most likely to say employees see security as a shared responsibility. Those in Europe, the Middle East, and Africa are least likely to say so.

Taking Action

Vigilant users are a key component to securing an organization’s network. That’s why most of the respondents in our 2025 Cybersecurity Skills Gap Global Research Report said lack of security awareness was the top cause of breaches.

The fact that security is seen as a shared responsibility in most organizations is positive. Yet with a third of employees not acting on that shared awareness – or not seeing security as a shared responsibility – that means there’s a need to do more.

Reinforce good behavior

Positively reinforcing security-aware behavior can motivate users to continue acting securely. Positive reinforcement does not need to be complicated: An encouraging message to someone who successfully reported a phishing email or completed training on time can go a long way. As noted elsewhere, shorter training sessions at more frequent intervals can also help reinforce core principles.

Enforce stricter cyber policies

In the DIGGING DEEPER section of this chapter, nearly all leaders say they would like to use policy to manage high-risk behaviors. Pulling the “policy lever” could be effective, particularly when paired with training that clarifies the rationale behind the policies and prevents them from being seen as arbitrary impositions.

Content is key

Working with a provider that can stay on top of the latest changes in the threat landscape is critical. That means finding a provider who is recognized as an expert in the field, and who is able to deliver high-quality, interactive training that meets the evolving threat landscape need.

AI training is non-negotiable

Rapid AI adoption makes it essential to equip employees with the knowledge and the skills they need to use AI tools safely and effectively. Failing to provide this essential training increases risks to the organization.

Conclusion

Cybersecurity has evolved from a practice centered primarily on threats to one focused on risk. This shift is reflected in Fortinet’s 2025 Cybersecurity Skills Gap Global Research Report, which found that cybersecurity is being more frequently included in overall corporate risk management. Security awareness and training are key components of this approach, helping to reduce risk in every department across organizations.

New threats will continue to emerge. It’s AI today; in the not-too-distant future, it may be quantum computing. As a result, cybersecurity must evolve continuously – and that means security awareness and training must evolve continuously as well.

Good training content that is relevant, engaging, and up to date on the latest threats is essential. As this report outlines, security awareness and training also needs to focus on changing behavior, not just imparting information, and teaching users how to recognize, assess, and respond to threats themselves.

It is encouraging to see that organizations are actively measuring the effectiveness of the security awareness and training they offer today. They should keep doing so and use the results to fine-tune their programs. Measurement will also help identify where gaps or weaknesses exist, so they can be closed by adding topics, boosting interactivity, or providing training in more languages.

A big takeaway from the 2025 survey is that while most organizations have security awareness and training or plan to implement it, 93% of employees don’t see that training through to the end. Maximizing completion rates by making training mandatory, offering incentives, and imposing policy-based consequences for non-compliance with organizational practices, can all help strengthen the overall security posture.

Finally, it was noted that personnel and budget constraints are the most common reasons organizations put off implementing security awareness and training. These constraints can also interfere with maintaining and updating awareness and training programs. To overcome those resource challenges, organizations may wish to partner with third-party experts to offload the burden and ensure training quality and regularity.

---

---

Read More