NOW it can be said. Security awareness training cuts cyber threats and risks by 67 percent.
According to the 2025 Security Awareness and Training Global Research Report, cybersecurity training is no longer a compliance exercise. It is now a measure for reducing cyber incidents. It also shows where organizations are still exposed to threats, including AI-driven risks.
Here are the most important takeaways for security and risk leaders.
AI raises awareness
Nearly nine in 10 organizations say attackers’ use of AI has increased employee awareness of why security training matters. Most organizations are responding by training employees on the proper use of generative AI (GenAI) tools and implementing formal AI security policies.
But awareness is not the same as readiness. Only about 40 percent of leaders say their employees are truly prepared to identify, avoid and report AI-based cyberthreats.
The direction is clear. The gap is execution and consistency.
Insider risk is rising
More than 40 percent of respondents cite external threats, past breaches and industry incidents as the top reasons why organizations invest in security awareness training. What has changed is the rise in concern about internal risk. More than a quarter of organizations now point to insider risk as a reason for adopting training, a sharp increase from last year.
Training priorities reflect this shift. While data security and data privacy remain the top topics, AI-based tools and threats are not far behind. It shows that organizations are starting to connect real-world risk with what employees are taught, rather than treating training as generic compliance content.
Training delivers measurable results
One of the strongest findings in the report is that training works. Sixty-seven percent of organizations report moderate or significant reductions in intrusions, incidents and breaches after implementing security awareness and training.
Measurement practices are also maturing. The most common indicators include reduced security incidents, employee feedback and security audits. Many organizations now combine in-person and computer-based training with simulations, assessments and ongoing reinforcement. This reflects a shift away from one-time training toward programs designed to change behavior and reduce risk over time.
Completion rates, consistency remain weak points
Despite better measurement and better results, most organizations still struggle with follow-through. Only a small percentage report full training completion. At the same time, nearly seven in 10 leaders say employees still lack sufficient security awareness.
This helps explain the gap between investment and outcomes. Training that is not completed, not reinforced or not kept current as the threat landscape changes cannot deliver its full value. The report points to practical improvements: shorter and more frequent training modules, clearer accountability for completion and visible leadership support. Additionally, the need for regular microtraining is becoming more important to keep up with advancements in AI.
Security awareness is cultural, not procedural
Most leaders currently see security awareness as a shared responsibility across the organization, not just an IT or security function. Nearly all are also open to using policy to manage high-risk behavior, especially when it is paired with training that explains the rationale behind those policies.
This is an important shift. Effective security awareness training is not just about passing a test. It is about shaping daily decisions, reinforcing good behavior and reducing risk where work actually happens.
Full steam ahead
The data is straightforward. Security awareness training reduces cybersecurity incidents while organizations can measure it to see real results.
But AI is accelerating both attacker capabilities and business adoption. At the same time, insider risk is a growing issue. To be effective, training has to be continuous, relevant and treated as a core risk management control, not a side project.
Fortinet Training helps build a more resilient workforce with programs designed to improve employee readiness and strengthen the cybersecurity posture of organizations.
