Why training works and where rrganizations still fall short ?

Security awareness training is now a measurable control for reducing cyber risk. A recent report conducted by Fortinet, based on responses from 1.850 senior IT and security leaders worldwide, shows clear progress and where organizations are still exposed.

Below are the most important takeaways:

AI is raising awareness but employee readiness is still uneven

AI-driven threats have changed how employees and leaders think about cybersecurity. Nearly nine in 10 organizations say attackers’ use of AI has increased employee awareness of why security training matters. But awareness is not the same as readiness. Only about 40% of leaders say their employees are truly prepared to identify, avoid, and report AI-based cyberthreats.

Most organizations are responding by training employees on the proper use of generative AI (GenAI) tools, monitoring or restricting sensitive data sharing, and implementing formal AI security policies. Nearly all respondents say they already have, or are actively implementing, security policies for AI and large language model (LLM) tools. The direction is clear. The gap is execution and consistency.

External threats still drive adoption but insider risk is rising fast

External threats, past breaches, and industry incidents remain the top reasons organizations invest in security awareness training. More than 40% of respondents cite these factors as the primary driver. What has changed is the rise in concern about internal risk. More than a quarter of organizations now point to insider risk as a reason for adopting training, a sharp increase from last year.

Training priorities reflect this shift. While data security and data privacy remain the top topics, AI-based tools and threats aren’t close behind. This alignment matters. It shows that organizations are starting to connect real-world risk with what employees are taught, rather than treating training as generic compliance content.

Security awareness training reduces incidents and organizations can prove it

One of the strongest findings in the report is that training works. Sixty-seven percent of organizations report moderate or significant reductions in intrusions, incidents, and breaches after implementing security awareness and training.

Measurement practices are also maturing. The most common indicators include reduced security incidents, employee feedback, and security audits. Many organizations now combine in-person and computer-based training with simulations, assessments, and ongoing reinforcement. This reflects a shift away from one-time training toward programs designed to change behavior and reduce risk over time.

Completion rates and consistency remain the weak points

Despite better measurement and better results, most organizations still struggle with follow-through. Only a small percentage report full training completion. At the same time, nearly seven in 10 leaders say employees still lack sufficient security awareness.

This helps explain the gap between investment and outcomes. Training that is not completed, not reinforced, or not kept current as the threat landscape changes cannot deliver its full value. The report points to practical improvements: shorter and more frequent training modules, clearer accountability for completion, better alignment between content and current threats, and visible leadership support. Additionally, the need for regular micro training is becoming more important to keep up with the advancements in AI.

Security awareness is becoming cultural, not just procedural

Most leaders now see security awareness as a shared responsibility across the organization, not just an IT or security function. Nearly all are also open to using policy to manage high-risk behavior, especially when it is paired with training that explains the rationale behind those policies.

This is an important shift. Effective security awareness training is not just about passing a test. It is about shaping daily decisions, reinforcing good behavior, and reducing risk where work actually happens.

What this means for 2026 and beyond?

The data is straightforward. Security awareness training reduces incidents. And organizations that invest in it and measure it see real results. But AI is accelerating both attacker capabilities and business adoption. At the same time, insider risk is growing. And too many programs still lose impact because of low completion rates or outdated content.

To be effective, training has to be continuous, relevant, and treated as a core risk management control, not a side project.