A new report on security awareness and training has found that organisations are making progress toward stronger cyber resilience, though significant gaps still remain in employee readiness, training completion, and consistency in security practices.
According to the Fortinet 2025 Security Awareness and Training Global Research Report, security awareness training is evolving from a routine compliance activity into a measurable control that helps reduce cyber risk. The report highlights several key trends shaping the current cybersecurity landscape.
AI increases awareness, but readiness remains uneven
The growing use of artificial intelligence by cyber attackers has significantly influenced how organisations view cybersecurity. Nearly nine in 10 organisations reported that attackers’ use of AI has increased employee awareness about the importance of security training. However, awareness has not translated into full preparedness.
Only about 40 per cent of leaders believe their employees are truly ready to identify, avoid, and report AI-based cyber threats. In response, many organisations are training employees on the responsible use of generative AI tools, monitoring or restricting sensitive data sharing, and introducing formal AI security policies. Nearly all respondents reported that they either already have, or are in the process of implementing, policies governing AI and large language model tools, though consistency and execution remain key challenges.
External threats drive adoption, insider risks rising
External threats, past breaches, and industry-wide incidents remain the primary drivers behind investments in security awareness training. More than 40 per cent of respondents cited these factors as their main motivation.
At the same time, concerns about insider risk are increasing rapidly. More than a quarter of organisations now identify insider risk as a key reason for adopting training programmes, marking a sharp rise compared to the previous year.
Training priorities are also shifting in response. While data security and data privacy continue to be the top focus areas, topics related to AI-based tools and threats are gaining attention. This shift reflects a growing effort by organisations to align training content with real-world risks rather than treating it as a generic compliance exercise.
Training programmes show measurable impact
One of the strongest findings of the report is the measurable impact of training programmes. Around 67 per cent of organisations reported moderate to significant reductions in intrusions, security incidents, and breaches after implementing security awareness and training initiatives.
Measurement practices are also becoming more sophisticated. Organisations increasingly track outcomes through indicators such as reduced incidents, employee feedback, and security audits. Many are combining in-person and computer-based training with simulations, assessments, and ongoing reinforcement, reflecting a shift from one-time sessions to continuous behaviour-focused programmes.
Completion rates and consistency remain challenges
Despite improved measurement and results, many organisations continue to struggle with training completion and consistency. Only a small proportion of organisations report full training completion rates.
At the same time, nearly seven in 10 leaders believe employees still lack sufficient security awareness. The report notes that incomplete training, lack of reinforcement, and outdated content limit the effectiveness of many programmes.
Suggested improvements include shorter and more frequent training modules, clearer accountability for completion, stronger alignment between training content and evolving threats, and visible leadership support. The report also highlights the increasing importance of regular micro-training to keep pace with rapid developments in AI-driven threats.
Security awareness becoming a cultural priority
The report also indicates a shift in how organisations view cybersecurity awareness. Many leaders now see it as a shared responsibility across the organisation rather than a function limited to IT or security teams.
Nearly all respondents indicated openness to using policy measures to manage high-risk behaviour, particularly when those policies are supported by training that explains the reasoning behind them. The shift signals a broader move toward embedding security awareness into everyday workplace culture.
Looking ahead
The report concludes that security awareness training clearly reduces cyber incidents, especially when organisations invest in continuous learning and effective measurement. However, the rapid growth of AI capabilities, increasing insider risks, and inconsistent training participation continue to pose challenges.
As organisations expand their use of digital technologies, maintaining continuous, relevant training programmes will be critical for managing cyber risk effectively.
India’s rapid digitisation is also reshaping industries, government services, and everyday life. Even as organisations accelerate the adoption of cloud technologies, AI, and digital platforms, the human element remains a central pillar of cybersecurity.
