Security Awareness Training

Security awareness training teaches employees how to spot and handle cyber threats. It turns your employees from a vulnerability into your best defence against phishing, social engineering, and data breaches. The goal of cybersecurity awareness training is clear: fortify company culture to defend against cyber-attacks and socially engineered threats.

Security awareness training is an ongoing programme that teaches people how to identify cybersecurity threats and respond appropriately. It’s not a one-off that you do once a year. Programmes are constantly changing to anticipate new attack methods, and organisations are tailoring their security awareness efforts to ensure departments are well-equipped to counter even the most elaborate schemes.

This training is helpful for many people in your company. Employees and end users learn how to spot threats in their daily tasks. Security and IT teams keep up with new ways that attackers can get in and how to stop them. Business leaders and executives know enough about the risks to make smart choices. To keep your extended ecosystem safe, even contractors and third-party partners need to know some basic security information.

It’s important to know the difference between being aware and being trained. Awareness helps you understand concepts, like knowing what phishing is and why it’s bad. Training enables you to learn how to do things correctly, like spotting a phishing email in your inbox and knowing how to report it. Good programmes include both of these dynamics.

The training encompasses a broad range of topics essential for maintaining cybersecurity hygiene, including but not limited to recognising phishing attempts, understanding the importance of strong password practices, identifying malware, and adhering to company security policies and procedures. Security awareness training may also cover the legal and regulatory aspects of data protection, such as compliance with the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), where applicable.

To remain effective, security awareness training is an ongoing learning process that continuously adapts to the evolving threat landscape. It includes various educational methods, such as interactive online learning, gamification, phishing simulations, and real-world examples to engage team members with different learning styles and technical aptitudes.

This article is an introduction and deep dive into security awareness training and its importance: why organisations use it, how it has evolved over the years, and how it helps to reduce the threat of cyberattacks and other security breaches. Finally, we’ll introduce some tools for creating an effective security awareness programme.

Security awareness training is not a one-and-done; it’s an ongoing programme. The best programmes use a variety of ways to teach different types of students and reinforce good behaviours over time. This is how most businesses set up their training:

• Microlearning modules break down complex security topics into short, focused lessons that employees can finish in 5–10 minutes. These short learning sessions fit well into busy workdays and help people remember what they learned better than long yearly courses.
• Simulated phishing and social engineering put employees in realistic attack situations in a safe setting. When someone clicks on a fake phishing link, they get instant feedback that explains what made the email look suspicious and how to spot similar threats in the future.
• Scenario-based and interactive learning puts employees in real-life situations at work where they have to make security choices. These activities might be like a phone call that seems suspicious and asks for password resets or a USB drive that was found in the parking lot.
• Role-based training customises content to fit certain job roles and levels of access. Finance teams learn about scams involving wire transfers and fake invoices. Executives learn how to deal with targeted spear-phishing and business email compromise. IT administrators are primarily responsible for managing privileges and setting up secure systems.
• Measurement and feedback loops keep track of how well a programme is working by looking at things like simulation click rates and reported suspicious emails. This information helps businesses find areas where their employees need more training and change the training materials to fill those gaps.
• Reinforcement over time keeps security knowledge fresh by having regular check-ins throughout the year. Monthly tips, quarterly refreshers, and timely alerts about new threats keep employees thinking about security without making them feel overwhelmed.

The most common reason for successful cyber-attacks is still human error. Phishing emails, social engineering, and insider threats take advantage of people, not systems. No firewall or endpoint protection can stop an employee from clicking on a bad link or confirming just any authentication prompt that appears to be legitimate.

The attacks facilitated by the misguided actions of people have a significant effect on businesses. A single data breach can cost millions in legal fees, incident response, and fines from the government. When private information gets out, customers lose trust. Damage to your reputation can take years to fix, and it directly costs you money and market share.

This problem can’t be solved by technology alone. You can use the best security tools, but attackers will just go after your employees instead. They send your finance team fake bills. They pretend to be executives asking for quick wire transfers. They pretend to be IT support to get passwords. These attacks work because they use psychology instead of taking advantage of technical flaws.

Modern threats are aimed at people in particular. Phishing has changed from obvious spam to highly targeted attacks that mention real projects and coworkers. Social engineering now uses information taken from corporate and social media sites. As more people work from home, the lines between personal and work devices become less clear, which increases the risk of insider threats.

Cybersecurity awareness training helps with this by creating a culture of security awareness throughout your company. When workers know how attacks work and what to look out for, they become an active defence layer. They ask questions about requests that seem strange. They check out strange messages through different channels. Instead of ignoring possible threats, they tell someone about them.

These programmes are also required by regulatory frameworks. Anyone who works with personal data must have proof of security training, according to GDPR. In the healthcare sector, HIPAA requires that workers be trained in privacy and security. ISO 27001 compliance certification requires that employees be aware of certain things. If you don’t meet these obligations, you could face audits, fines, and legal problems that are much more expensive than a good training programme.

The financial case is easy to understand. If you can stop one successful phishing attack, you can save money on incident response, forensics, notification requirements, and possible lawsuits. Companies spend a lot of money fixing problems that could have been avoided if they had trained their employees on a regular basis.

Proofpoint’s 2025 Human Factor report series looked at data from more than 3.5 billion emails every day to learn more about how social engineering threats are changing. The research offers essential insights into the reasons human-targeted attacks persist as the most effective strategy in the cybercriminal’s arsenal and what organisations need to tackle through extensive security awareness initiatives.

The data shows the biggest social engineering threats that businesses face:

• More than 90% of state-sponsored social engineering campaigns use fake people to gain trust.
• Over the past 10 years, business email compromise has cost businesses more than $55 billion in reported losses.
• 25% of all advanced persistent threat (APT) campaigns now use only social engineering, with no malware or attachments.
• Advanced Fee Fraud went up almost 50% from one year to the next.
• Telephone-Oriented Attack Delivery (TOAD) blocked more than 117 million threats every year.

These results show why social engineering still works, even though technology has gotten better. Attacks without payloads get around traditional detection systems because they use trust instead of technical flaws. Generative AI now lets bad actors send personalised, grammatically correct messages to a lot of people in different areas and roles.

The report highlights a major problem for security teams. Even when workers know the risks, they often put convenience and responsiveness ahead of caution when messages seem important or fit with their job duties. Because of this behaviour, security awareness training should be required, not optional.

Security awareness training has become a critical business imperative in today’s threat landscape. The 2024 Verizon Data Breach Investigations Report reveals that users click malicious links in just 21 seconds, with sensitive data entered within the following 28 seconds. This means a successful phishing attack can compromise an entire organisation in under one minute.

The human element remains the weakest link in cybersecurity defences. Mimecast research shows that 95% of cybersecurity breaches stem from human error. Meanwhile, Sacred Heart University found that social engineering accounts for 98% of all cyber-attacks. These statistics underscore a fundamental reality: even the most sophisticated security technologies can be bypassed entirely if employees aren’t adequately trained to recognise threats.

The financial stakes are enormous. Vishing attacks alone cost organisations an average of $14 million per year. Data breaches can result in millions of dollars in damages, regulatory fines, and reputational loss. Cybersecurity awareness training represents a relatively small investment that can prevent catastrophic losses.

Beyond risk mitigation, training transforms employees from security liabilities into proactive defenders. Well-trained staff become the first line of defence against cyber-attacks. They can identify suspicious emails, report potential threats, and make security-conscious decisions that strengthen the entire organisation’s security posture.

Regulatory compliance adds another layer of importance. Standards like GDPR, HIPAA, and ISO 27001 require demonstrable security training efforts. Organisations that fail to meet these requirements face severe financial penalties and legal consequences.

While the core concepts of cybersecurity awareness training aren’t new, they have reached mainstream consciousness relatively recently. One indication of its emergence was the 2004 launch of National Cybersecurity Awareness Month. The initiative, by the National Cybersecurity Alliance and the US Department of Homeland Security, was intended to help people stay safer and more secure online, encouraging such practices as regularly updating antivirus software.

Since then, the annual awareness month has inspired similar events in other countries, expanded its themes and content, and drawn increased participation across industries and government, as well as universities, nonprofits, and the general public.

Security awareness training has developed over three distinct phases, each one responding to changes in both the level of threat and the expectations of regulators. In the compliance-only era, training was just a way to check off a box for audits. The behaviour-focused phase was limited to changing how employees used technology. Today’s approach to human risk management sees security awareness as a strategic function that measures and lowers people-based risks throughout the whole company.

Along the way, training methods themselves have matured. In 2004, the dominant paradigm was for annual presentations, either as in-person training sessions or long-form computer-based training. Unfortunately, these lengthy, infrequent sessions do not result in good knowledge retention. These methods were based on the threats that were common at the time, such as worms that took advantage of systems that weren’t patched and viruses that spread through email attachments. A gradual shift toward short, focused training on individual topics represented an improvement, but these trainings were still presented infrequently, which allowed knowledge to dissipate over time.

Around 2014, security awareness training began shifting toward continuous education and improvement, in which a programme includes ongoing cycles of assessments and training. This change happened at the same time as the rise of targeted phishing campaigns and spying by nation-states, which required stronger defences for employees. The latest developments have been “just-in-time” and in-context training, which adds the ability to launch training in response to an end-user exhibiting poor cybersecurity behaviour, such as unsafe web browsing.

The period from 2020 onward has marked a new chapter driven by artificial intelligence and data analytics on both sides of the equation. Attackers now use generative AI to create convincing phishing emails at scale and personalise social engineering attacks based on publicly available information. Organisations leverage AI and machine learning to personalise training content based on individual user behaviour and risk profiles. This shift has enabled real-time behavioural analytics that identify risky actions and trigger immediate, contextual training interventions.

Modern programmes have also expanded beyond traditional phishing awareness to address emerging threats like deepfakes, AI-driven social engineering attacks, and sophisticated manipulation techniques. Gamification and microlearning modules are now part of training delivery methods. They help employees remember what they’ve learned without overwhelming them. Cloud-based platforms that can reach remote and hybrid workforces have also become necessary.

Perhaps most significantly, there’s a growing recognition that successful security awareness training requires genuine organisational culture change and active leadership involvement. Rather than viewing training as an IT department responsibility, organisations now treat security awareness as a company-wide initiative that requires executive sponsorship and cultural transformation to achieve lasting behavioural change.

Phishing simulations are a big part of security awareness programmes that test and improve how people act. In 2024, Proofpoint looked at more than 212 million phishing simulations done by customers, which is 16% more than the year before. This growth shows that many people now understand that it’s necessary, not just nice, to test and teach employees about phishing threats.

Data reporting on current simulation methods shows clear patterns in how they are used and how well they work:

• 60% of simulations use link-based tests
• 30% use tests that require entering data
• 9% use tests that are based on attachments
• The failure rate for attachment-based tests is the highest at 6.59%
• The failure rate for data-entry tests is the lowest at 2.46%

The data shows that organisations are becoming more resilient, which is a good sign. The overall failure rate for simulated phishing went down to 4.93%, while the reporting rate went up to 18.65%. The average Resilience Factor has gone up to 3.78, which means that almost four times as many people are reporting phishing emails as falling for them. Companies that used Proofpoint’s security awareness training saw a 40% drop in the number of real-world malicious links that users clicked on.

The content of these simulations changes as threats change. Thirty percent of simulations now focus on hacking into accounts and getting around multi-factor authentication. Another 25% take advantage of file-sharing and collaboration tools like Microsoft Teams and SharePoint. Twenty percent use brands that people see to build false trust.

But how well it works depends a lot on the industry. The financial services sector has the highest resilience ratio at 8:23, while the education sector has the lowest at 1:27. This gap shows that how often people are trained, what the rules are, and the security culture of the organisation all have a big impact on how well a programme works. The challenge goes beyond just raising awareness; it also includes making lasting changes in behaviour across a wide range of workers.

At Proofpoint, we’ve created highly effective training solutions utilising our Continuous Training Methodology based on Learning Science Principles that engage the learner and change behaviour.

Carnegie Mellon University’s research determined that how we employ Learning Science Principles was proven effective.

Security awareness training teaches employees about real threats that they face every day. Teams can better react to attacks if they know how they happen in real life. Here are some common situations grouped by role and level of risk.

• Employee credential harvesting: An email that looks like it came from the IT department asks a marketing coordinator to verify their password because of a “security upgrade”. There is a link in the email that looks like the company’s login page. When employees enter their login information on these fake sites, attackers can get right into the company systems and data.
• Attacks that impersonate executives: The CFO gets an urgent email that looks like it’s from the CEO asking for an immediate wire transfer for a secret purchase. These business email compromise attacks take advantage of relationships of power and the need to act quickly. Attackers look into how organisations are set up and how they communicate so that their requests look real.
• Contractor data exposure: A third-party vendor working on a short-term project saves client data to a personal cloud storage account to access it more easily from different devices. Weeks later, when the contractor’s personal account is hacked, attackers who had nothing to do with your company can get to that sensitive information.
• Remote worker on unsecured networks: An account manager uses public Wi-Fi at a coffee shop to check their email and respond to client emails with contract details and pricing information. People who attack the unsecured network can see this traffic and read private business emails.
• Fraud in the finance department: An accounts payable specialist gets an email from a regular vendor asking for updated banking information so they can make future payments. The email address is off by one letter from the real vendor contact. Before anyone notices the difference, processing this change sends thousands of dollars to accounts controlled by the attacker.
• IT administrator social engineering: A help desk technician gets a call from someone who says they are a remote executive who lost access to important files before a board meeting. The caller wants to reset their password and skip multi-factor authentication right away. These phone-based attacks use a sense of urgency and authority to force IT staff to ignore security rules.

Fostering a culture that embraces proactive defences against phishing attacks is essential in reinforcing an organisation’s security posture. Building an anti-phishing behaviour management programme not only secures organisational assets but also cultivates an environment where employees feel empowered and engaged. Here are five principles to guide the development of such a programme, ensuring it resonates with leadership and becomes embraced by staff.

• Champion education over punishment: Shift the narrative from penalising mistakes to celebrating learning opportunities. By framing security awareness training as a tool for personal and professional growth, organisations can dismantle barriers to engagement. Highlight stories of how knowledge gained through these programmes has helped individuals both within and outside work contexts—transforming potential apprehension into enthusiasm for participating.
• Encourage leadership advocacy: Secure buy-in from top executives by demonstrating how positive reinforcement strategies align with broader business goals like reducing risk and enhancing corporate reputation. When leaders actively promote and participate in anti-phishing initiatives, their endorsement serves as a powerful motivator for wider acceptance across all levels of the organisation.
• Personalise the learning experience: Recognise that one size does not fit all in education. Tailor training content to meet diverse learning styles and job roles within your company, as relevance breeds interest, which fosters better retention rates. Incorporating interactive elements such as gamification or real-life simulations can transform routine exercises into engaging challenges that stimulate genuine interest while reinforcing key concepts about cyber vigilance.
• Promote open dialogue: Establish a culture where feedback on the training programme is not just encouraged but valued. Allowing participants to express their thoughts and concerns enables a cycle of continuous improvement that ensures materials remain engaging and relevant. Furthermore, creating forums for employees to share experiences with phishing attempts fosters a sense of community and collective responsibility toward safeguarding against digital threats.
• Focus on long-term behavioural change: Instead of seeking quick fixes, aim to develop enduring security habits that require ongoing effort and reinforcement. Acknowledge and celebrate small victories as part of the journey towards a more secure mindset. This approach ensures that security awareness evolves from being seen as an external imposition to becoming an integral part of employees’ daily routines, leading to a profound cultural shift within the organisation.

By embracing these five principles, organisations can craft an anti-phishing behaviour management programme that not only addresses immediate cybersecurity threats but also fosters a lasting environment of vigilance and empowerment.

Recent studies and case analyses demonstrate measurable improvements from comprehensive security awareness programmes:

40%

Proofpoint’s study on the effects of their Security Awareness platform showed that many companies experienced a decrease of up to 40% in the number of harmful links clicked by users.

80%

Research indicates that security risks can be reduced by as much as 80% through effective security awareness training programmes.

50%

Analysis of training effectiveness shows that half of employees report a real threat within six months of beginning training, with two-thirds reporting real threats within one year.

96%

Organisations that combined monthly or more frequent security awareness training with weekly phishing simulated tests achieved a 96% improvement in their phish-prone percentage rates compared to less frequently trained groups.

Training employees to increase an organisation’s security posture versus engaging cybersecurity experts requires a unique strategy. Users don’t have the expertise, so they need information presented to them in an engaging way that helps them visualise and understand phishing.

Your security awareness programme should include several features:

• Threat-driven content: To optimise its effectiveness, security awareness training must be tailored to the current threat landscape, ensuring that users are prepared for real-world threats.
• Real-time reporting: The training platform should provide real-time reporting on simulated phishing tests and real-world threats, allowing organisations to monitor their security posture and identify areas for improvement.
• Customisable content: Advanced programmes offer a wide variety of training modules in multiple languages, enabling organisations to tailor the content to their specific needs and user demographics.
• Adaptive learning framework: Security training programmes should utilise an adaptive learning framework that delivers security education on a progressive scale, from the basics to advanced concepts. It can further be tailored to individual factors like role, learning style, competency, vulnerability level, and language.
• Microlearning: Training delivered in digestible modules with concise and specific learning objectives, making it easy for users to digest and retain the information.
• Continuous improvement: A comprehensive approach to security awareness includes periodic reassessments to track progress and identify areas of concern, allowing organisations to refine their cybersecurity awareness and education plan.
• Guided Targeted Attack Protection (TAP) Training: This advanced feature allows organisations to run targeted training programmes based on actual risks in their environment, focusing on specific threat types like email impersonation, credential phishing, and ransomware.

While some organisations assemble their own strategic approach, these fundamental features are inherent in Proofpoint’s Security Awareness Training programmes. Ultimately, how you organise and develop security training will determine its effectiveness. You need a strategy for how the content is written and organised.

An example approach is a Contextual Learning Model, which emphasises relevance, engagement, and practical application. This model moves away from strict divisions between formal, informal, and experiential learning to focus more holistically on how content can be integrated into an employee’s daily workflow and decision-making processes. Here’s how it breaks down:

• Integrated Learning (40%): This component is incorporated into employees’ day-to-day activities. By embedding microlearning sessions directly into their workflow—such as brief quizzes after accessing certain company systems or short video tips before using specific software tools—training becomes less intrusive and more relevant.
• Scenario-Based Engagement (30%): Instead of traditional lectures or presentations, this training relies heavily on immersive simulations and interactive scenarios that reflect real-life situations employees might face. These scenarios are designed for individual participation and to encourage team-based problem-solving exercises that foster collaboration while enhancing understanding.
• Interactive Platforms (20%): Leveraging modern educational technology platforms can transform passive learning into active exploration. Features like gamified elements for achieving cybersecurity milestones or forums for discussing recent phishing attempts among peers create a vibrant community around cybersecurity education.
• Reflective Practice & Feedback Loops (10%): Encouraging employees to reflect upon what they’ve learned through regular feedback mechanisms—such as surveys or discussion groups—and applying these insights in practice helps cement knowledge while identifying areas needing further clarification or reinforcement.

Proofpoint offers a full suite of products for your security awareness and training programme, from knowledge assessments and phishing simulations to interactive training, powerful reports, and easy-to-use dashboards.

Implementing a multi-layered approach is crucial for an effective defence against cyber threats. This holistic strategy encompasses four essential layers that work together to enhance organisational security:

1. Human Layer

Often considered the first and most critical line of defence, this layer focuses on human-centric security that transforms employees into a human firewall through education about cybersecurity best practices, phishing scams, password policies, and other potential cyber risks. The human layer emphasises creating a culture of security where every team member is empowered with the knowledge to act as a vigilant protector of their organisation’s digital assets.

2. Policy Layer

This layer involves developing comprehensive security policies defining acceptable resource use, data protection guidelines, incident response plans, and more. These policies provide a framework for behaviour within the organisation and ensure clear procedures are in place for maintaining compliance with regulatory requirements and responding effectively to any breaches or incidents.

3. Technology Layer

The technology layer zeroes in on securing devices and tools integral to an organisation’s daily operations. It encompasses deploying robust antivirus software across all endpoints, ensuring that every device—a laptop, desktop, smartphone, or tablet—is fortified against malware and cyber threats. Additionally, this layer includes using secure communication tools for encrypting emails and protecting sensitive information shared online.

4. Infrastructure Layer

At this foundational level lies the backbone of an organisation’s digital environment—the networks, servers, VPNs, firewalls, and proxies that facilitate operational functionality while also posing as potential vectors for attack if left unprotected. Strengthening this layer involves meticulous configuration of network defences such as next-generation firewalls capable of deep packet inspection, deployment of VPN services for secure remote access, and rigorous monitoring and management of server security to prevent unauthorised access or data breaches.

Because security awareness training works with the human element in cybersecurity, organisations must find a company that can connect with users. Proofpoint’s training is developed to empower employees, vendors, and contractors with the information needed to detect and stop phishing attacks. We differentiate ourselves using a number of factors.

• Proven results. Security training has been shown to reduce click rates by up to 50%.
• Real-world examples. Train employees with real-world examples so that they recognise a phishing email more effectively.
• Better compliance. Proofpoint training improves compliance by educating users on proper auditing and record-keeping when working with customer data.
• Engaging for users. All lessons and training courses are created to engage users so that they get the most out of their sessions.

The effectiveness and scope of Proofpoint’s security solutions provide notable capabilities in both pre- and post-threat detection and remediation, along with advanced training that leads to measurable behavioural changes in organisational security practices.