In broad terms, you could think of security awareness training as making sure that individuals understand and follow certain practices to help ensure the security of an organisation. From this perspective, security awareness training has been around practically forever, especially when you consider the need for security in military applications.

Today, security awareness training emphasises information security, and especially cybersecurity. Rapid advances in information technology — and parallel innovations by cybercriminals — mean that employees and other end users need regular, specific training on how to stay safe online and protect their information and that of their employers.

This article is an introduction to security awareness training and its importance: why organisations use it, how it has evolved over the years, and how it helps to reduce the threat of cyberattacks and other security breaches. Finally, we’ll introduce some tools for creating an effective security awareness programme.

Cybersecurity Education and Training Begins Here

Here’s how your free trial works:

  • Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
  • Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
  • Experience our technology in action!
  • Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks

Fill out this form to request a meeting with our cybersecurity experts.

Thank you for your submission.

Why Do Organisations Conduct Security Awareness Training?

Cybersecurity awareness training has a critical role to play in minimising the serious cybersecurity threats posed to end users by phishing attacks and social engineering. Key training topics typically include password protection, management, privacy, email/phishing security, web/internet security, and physical and office security.

There’s also a business case to be made for security awareness training, as explored in the Aberdeen Group’s report, Security Awareness Training: Small Investment, Large Reduction in Risk. The researchers conducted a workshop with enterprise security leaders to find out why they invest in security awareness and training. They found that:

  • 91% use security awareness to reduce cybersecurity risk related to user behaviour.
  • 64% use it to change user behaviour.
  • 61% use it to address regulatory requirements.
  • 55% use it to comply with internal policies.


why conduct security awareness training


As these statistics suggest, some organisations use security awareness training simply because they must, in order to comply with external or internal requirements. But this training also makes financial sense, according to the report: “an incremental investment in security awareness training results in a median reduction in the annualised risk of phishing attacks of about 50%, and a median annual return on investment of about 5 times”.

The Evolution of Security Awareness Training

While the core concepts of cybersecurity awareness training aren’t new, it has reached mainstream consciousness relatively recently. One indication of its emergence was the 2004 launch of National Cyber Security Awareness Month. The initiative, by the National Cyber Security Alliance and US Department of Homeland Security, was intended to help people stay safer and more secure online, encouraging such practices as the regular updating of antivirus software.

Since then, the annual awareness month has inspired similar events in other countries, expanded its themes and content, and drawn increased participation across industries and government, as well as universities, nonprofits, and the general public.


evolution of security awareness training


The focus, methods, and effectiveness of security awareness training have undergone significant changes over the years. Back in 2004, most programmes were driven by the need for compliance — simply meeting regulatory requirements. Today, that focus has shifted to seeing cybersecurity awareness training as a means to manage and mitigate organisational risk.

Along the way, training methods themselves have matured. In 2004, the dominant paradigm was for annual presentations, either as in-person training sessions or long-form computer-based training. Unfortunately, these lengthy, infrequent sessions do not result in good knowledge retention. A gradual shift toward short, focused training on individual topics represented an improvement, but these trainings were still presented infrequently, which allows knowledge to dissipate over time.

Around 2014, security awareness training began shifting toward continuous education and improvement, in which a programme includes ongoing cycles of assessments and training. The latest developments have been “just-in-time” and in-context training, which adds the ability to launch training in response to an end user exhibiting poor cybersecurity behaviour, such as unsafe web browsing.

Tools for Training End Users

Today, infosec professionals use a variety of tools to train end users, as can be seen in our State of the Phish™ Report. The dominant tool — and one that continues to grow in popularity — is computer-based awareness training.

  • 79% use computer-based awareness training.
  • 68% use phishing simulation exercises.
  • 46% use awareness campaigns (videos and posters).
  • 45% use in-person security awareness training.
  • 38% use monthly notifications or newsletters.

Well-designed training programmes often make use of several of these tools. Equally important is to deploy these tools in a systematic, methodical way that allows you to track and measure progress over time.


Tools for Training End Users


Our highly effective training solutions utilise our Continuous Training Methodology, designed with Learning Science Principles to engage the learner and change behaviour.

The way we employ Learning Science Principles was proven to be effective through research performed at Carnegie Mellon University.

Effectiveness of Security Awareness Training

Our own case studies and Results Snapshots have shown persuasive results:


Over a two-year period, a financial institution recorded a 95% reduction in malware and viruses, and a greater awareness of cybersecurity threats.


A college in the Northeastern US reported a significant reduction in malware and viruses, a 90% reduction in successful phishing attacks, significantly fewer support requests, an increase in the number of users reporting incidents and attacks, and a greater awareness of security issues.


An employee benefits organisation realised more than an 89% reduction in phishing susceptibility utilising our assessment and education modules as core components of their security awareness and training programme.


Security awareness training helped city government employees reduce average click rates by 80% in one year and avoid a sophisticated wire transfer fraud attack.

Creating a Security Awareness Training Programme

Training employees versus cybersecurity experts takes a unique strategy. Users are not cybersecurity experts, so they need information given to them in an engaging way that helps them visualise and understand phishing.

Your security awareness programme should have several features:

  • Content: The content should be easily digestible and understandable for a general audience and provide information in an organised way such as chapters and lessons.
  • Executive support: Executives are responsible for ensuring users follow procedures, so training material should have content that can be distributed across departments.
  • Frequent programme updates: The cybersecurity landscape changes, so the programme content should also change. Every year content should be reviewed and refreshed to cover the latest threats.
  • Testing: Testing users with real-world phishing emails and social engineering scenarios will help them identify threats. The example exercises should mimic real-world attacks.
  • Reporting: Integrated with tests, reporting will tell administrators who clicked links and submitted sensitive data. The reports will identify employees who need additional training.
  • Surveys: After training, send survey questions to managers, executives, and staff members so that they can provide feedback for improvements.

The way you organise and develop security training will determine its effectiveness. You need a strategy for the way content is written and organised. An example model for development:

  • 10% formal: Although it’s corporate training, formal content should be the least sections in your training material. Formal content can be difficult to read or hard to digest, but it can be important for specific facts and examples.
  • 20% informal: Informal content such as webinars, videos, and collaborations better engage users. This content should not be a majority of training sources, but it can be more than formal to help users better understand concepts.
  • 70% real experience: Content in this section should be customised to fit the organisation’s culture and experience. This type of content is usually developed by a third party so that all staff members get the most out of the training.

The content included in training material should be information, but it should also be for people who have never experienced a phishing attack. It should cater to beginners even if you have some people who are much more educated on the subject. It should be engaging enough that users want to dig further into details and learn more. Training is for people to build a skill, and this skill is detecting phishing and social engineering for users who are unaware of the many ways attackers create campaigns against businesses. They can even learn to protect their personal accounts from phishing and social engineering, so users get additional benefits from corporate security training.

Proofpoint offers a full suite of products for your security awareness and training programme: from knowledge assessments and phishing simulations to interactive training, powerful reports, and easy-to-use dashboards.

Anti-Phishing Training Suite

Anti-Phishing Training Suite

Our customers have used our Anti-Phishing Training Suite and our Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. Make our unique, four-step Assess, Educate, Reinforce, Measure approach the foundation of your phishing awareness training programme.

Simulated Phishing Attacks

Simulated Phishing Attacks

Quickly and effectively assess how susceptible your employees are to phishing and spear phishing attacks with our ThreatSim® Phishing Simulations. End users who fall for simulated phishing attacks are automatically presented with a Teachable Moment. This “just-in-time” guidance lets users know what they did wrong and offers tips to help them avoid future threats.

Security Awareness Training

Security Awareness Training

We recommend that your security awareness training programme include organisation-wide phishing education as well as targeted anti-phishing training. Our unique approach and interactive training modules help you deliver effective cybersecurity education in a flexible, on-demand format that minimises disruption to daily work routines.

PhishAlarm® Email Reporting Tool

PhishAlarm Email Reporting Tool

Reinforcing best practices is critical to improving retention. Our PhishAlarm® email reporting tool enables end users to report a suspected phishing email with a single mouse click, reinforcing positive behaviours. Our optional PhishAlarm Analyzer email prioritisation tool maximises PhishAlarm’s capabilities and streamlines response and remediation efforts on reported emails.

What Makes Proofpoint Security Awareness Different

Because security awareness training works with the human element in cybersecurity, it’s important for organisations to find a company that can connect with users. Proofpoint’s training is developed to empower employees, vendors, and contractors with the information needed to detect and stop phishing attacks. We differentiate ourselves using a number of factors.

  • Proven results. Security training has shown to reduce click rates by up to 50%.
  • Real-world examples. Train employees with real-world examples so that they recognise a phishing email more effectively.
  • Better compliance. Proofpoint training improves compliance by educating users on proper auditing and record keeping when working with customer data.
  • Engaging for users. All lessons and training courses are created to engage users so that they get the most out of their sessions.

FAQs: Security Awareness Training

What Is Security Awareness Training?

Security awareness training is a corporate-wide initiative to help employees identify and avoid cyber-threats in the workplace. It’s a component in effective cybersecurity to stop human errors and insider threats from causing data breaches.

What Are Some Security Awareness Training Best Practices?

Teaching hundreds or thousands of employees with different cybersecurity awareness levels requires a strategic approach. Every organisation has their own methods, but it’s important that security awareness training is an ongoing process and curriculum is reviewed and updated frequently to account for changes in the cybersecurity landscape.

What Is the Main Purpose of Security Awareness Training?

Data breaches are expensive, and employees are primary risks for targeted threats. Training employees to detect threats minimises risk of phishing and ransomware, thus prevents loss of personally identifiable information (PII), intellectual property (IP), revenue, brand reputation, and customer loyalty.

What Are the Benefits of Security Awareness Training?

Empowering employees with security knowledge reduces risk of data breaches, and provides additional benefits. Training employees to identify threats prevents downtime from data breaches, ensures that your organisation stays compliant, and improves customer confidence in your brand.

What Should Security Awareness Training Include?

Security awareness training materials include reading modules, videos, on-hand exercises, and testing to ensure effectiveness. The way an organisation formats a security awareness training programme is unique to their user base, but should be freely accessible to anyone.

How Effective Is Security Awareness Training?

Security awareness training is so effective that it’s now a compliance requirement for the EU’s GDPR. Through the years, organisations have seen a sharp decline in data breaches due to better cybersecurity education.

What Are the Most Important Security Awareness Training Topics?

Any security awareness training should cover common topics such as phishing, password protection, safe social media usage, social engineering, physical security, public Wi-Fi safety, and guidance on working remotely. Your organisation should tailor training to cover the biggest threats to your organisation's cybersecurity.

How Much Does Security Awareness Training Cost?

Every organisation has their own cybersecurity strategy and number of employees. Some employees need more training than others. Proofpoint customises training material specifically towards your cybersecurity needs. Contact us for pricing of your own security awareness training. If you’re interested in trying us out, request your free security awareness training trial today!