Human vulnerabilities, leading to human failures, were responsible for more than two thirds of data breaches (68%) in 2024. The failures were not malicious or deliberate. Instead, they resulted from employees falling victim to phishing schemes and other social engineering attacks, and making human errors that affected company security. These two top examples of human security risk were spotlighted in Verizon’s 2024 Data Breach Investigations Report.
Cybersecurity tools and technologies have evolved to their most effective levels ever. So it’s no surprise that cybercriminals have turned increasingly to the weakest link in the security chain by exploiting our human vulnerabilities. Fortunately, that link is gradually being strengthened thanks to more effective management of human security risk, including regular cybersecurity training.
Each year in October, the Cybersecurity Attitudes & Behaviors Report is published, based on a survey of online behaviors and attitudes conducted by the National Cybersecurity Alliance and CybSafe. The 2024 survey included more than 7,000 adults in the United States, Canada, United Kingdom, Germany, Australia, New Zealand, and India.
The 2024 report revealed that, across the board, 50% of employees are now required to participate in annual cybersecurity training and another 25% are required to undergo more frequent security training. And thanks to training, specific human security risks were reduced between 2023 and 2024.
Speaking of phishing, survey results revealed that two thirds (66%) of employees who use Artificial Intelligence-powered applications are worried about the impact of AI apps on cybercrime. A specific concern is that AI-powered phishing messages may be more sophisticated than human-generated messaging, and therefore more difficult for employees to detect and thwart.
As regular cybersecurity training continues to be adopted as a best practice among organizations throughout the U.S. and globally, many employees are exhibiting more responsible security behaviors, and human security risk is being reduced.
Expert trainers and company executives agree on ways to make training more effective. First, employees must clearly understand their role in cybersecurity, and how their behavior contributes to the overall security of the data and other assets the organization is responsible for safekeeping. They should appreciate the importance of online safeguards in maintaining good relationships with clients, partners, investors, and other stakeholders.
Your employees must also understand the variety of cyber risks and attacks that can occur, and they should be able to define phishing, hacking, ransomware, and other common threats. They also need to be trained in what action to take if they suspect something is not quite right. In addition, they must be kept aware of your organization's policies and procedures in the area of information security and IT, including escalation procedures, contingency plans, and more.
Having well-documented procedures is not only a security best practice but also aids in effective training. Many employees feel disconnected from the primary missions of their organizations, and group training is a proven way to bring them into the fold. Explain the cybersecurity mission and why they should care about it, and how they benefit from supporting it. But avoid technospeak in favor of using simple terms. Break down security behaviors to easy concepts and simple steps to promote adoption. Continuously communicate, engage, train, remind, rinse, and repeat.
To keep training fresh and current, or to supplement in-house training resources, engage third party training and cybersecurity consulting expertise several times a year. And consider how your organization can benefit from the services of a Virtual Chief Information Security Officer in leading and promoting effective cybersecurity training and a company culture of security.
Finally, a mix of educational formats should be employed to keep training engaging, easy to remember, and easy to apply. These formats include classroom training, webinars, white papers and blogs, online self-paced training, train-the-trainer classes, newsletters, and regular email reminders and quizzes. Finally, retention of cybersecurity training content among employees should be evaluated periodically and adjustments made as needed.
How Mature is Employee Security Awareness in Your Organization?
The SANS Institute was “launched in 1989 as a cooperative for information security thought leadership” and today is a globally recognized cybersecurity training resource. SANS helps organizations reduce cyber risk by providing their cybersecurity professionals with training, certifications, educational degrees, and more in order to “empower cybersecurity professionals with the practical skills and knowledge they need to make our world a safer place.”
SANS believes that the key to effectively managing human risk is establishing a mature security awareness program. One that is able to actively manage and measure your human risk, and takes a structured approach to changing the security behaviors of your workforce.
The Institute has mapped out five stages of cybersecurity maturity in their patented SANS Security Awareness Maturity Model, first introduced in 2011. Following are overviews of the five stages. All organizations should aspire to Stage 3 as a minimum sustainable environment, with advancement to Stage 4 targeted as a next step.
Stage 1 – Zero Security Awareness
Your employees have little knowledge of cybercrime and don’t realize how easily they can become victims of hackers, phishers, and other scammers. Nor do they know what to do if they are targeted. That’s because you have no security awareness program. Employees don’t understand that their actions can directly affect the organization’s security, or exactly how. There are no tracking metrics, and no thought has been given to how your organization can evolve its security awareness.
Stage 2 – Compliance Focused Security
Although you have a security program in place, it is designed to meet specific compliance or audit requirements only. Training frequency is limited to annually or ad hoc. Most non-IT employees remain unclear about organizational security policies and their role in protecting information assets. Although the program meets legal compliance requirements, the organization remains highly vulnerable to breaches because you are not effectively addressing human security risk.
Stage 3 – Promoting Awareness and Behavior Change
Your program has identified the top human vulnerabilities and focuses on the target groups and training topics that are most effective in keeping the organization secure. The program goes beyond sporadic or annual training in favor of regular, ongoing engagement. Training content encourages employee behavior changes at work and home and is communicated effectively. Employees understand and follow organizational policies and actively recognize, prevent, and report incidents. Your organization meets its compliance requirements and can effectively manage and measure its human risk.
Stage 4 – Long-term Sustainment and Culture Change
At this level of maturity, your cybersecurity awareness program is not just a part of operations but is woven into the fabric of your organizational culture. It has the processes, resources, and leadership support necessary to be self-sustaining.
You constantly evaluate emerging and changing technologies, threats, business requirements, and standards to ensure the program remains dynamic and continuously evolving. And you conduct regular surveys and assessments to determine the current state of security awareness and associated behaviors in the organization. The program goes beyond simply modifying behaviors to directly influence employee beliefs, attitudes, and perceptions about security. In doing so, it furthers the types of changes documented in the latest Cybersecurity Attitudes & Behaviors Report referenced earlier in this post.
Your organization easily meets compliance requirements, manages its human risk, and has developed a strong security-driven culture that enables and promotes the success of all other security initiatives in a virtuous cycle. Through regular outreach and communication efforts, security has been built into almost all operational aspects of your organization.
Stage 5 – Metrics Framework
This stage is the final evolutionary benchmark in the SANS model. Your security awareness program’s robust metrics framework is fully aligned with the organization’s mission, tracking progress, and measuring impact for continuous improvement. Beyond measuring behavior and culture, you are focused on how these changes reduce risk and support company leadership in achieving strategic priorities.
Your program easily demonstrates ROI and value to your organization. And while metrics are important at every step, Stage 5 emphasizes that a mature program can and must demonstrate a tangible, measurable impact on employee security awareness—ultimately leading to improved cybersecurity and reduced human vulnerabilities in your organization.
Cybersecurity awareness is fundamental to achieving effective protections for data assets by reducing human vulnerabilities to cybercrime. However, organizations vary widely in their security awareness levels. Regular cybersecurity training is resulting in more productive security behaviors among employees, including their ability to recognize phishing emails that often lead to costly ransomware exploits. Cybersecurity training is available through many qualified resources, from professional third party training and consulting firms to institutes such as SANS. In addition, SANS offers a roadmap for organizations to develop more mature security awareness programs that engage all employees, measurably change attitudes and behaviors, and effectively reduce the human vulnerabilities that lead to security failures.