[Updated September 2025] Security Awareness Training Statistics

What are the most recent phishing awareness training statistics in 2025? This blog post will delve into the most recent statistics on security awareness training. These insights will be invaluable as you strategize the content for your organization's cyber security awareness training program.

In 2025, inadequate security awareness training has been linked to significant cybersecurity risks.

These incidents highlight the critical importance of comprehensive security awareness training to mitigate financial losses, operational disruptions, and reputational harm.

Let's explore some key cyber security awareness training statistics:

Cyber Security Awareness Training Statistics

These Cyber Security Awareness Training Statistics highlight how effective programs are and the risks:

Dramatic Risk Reduction with Cyber Security Awareness Training

• Cyber security awareness training leads to a 70% reduction in security-related risks in 2023. This fact underscores the significant impact that comprehensive training has on an organization's overall security posture.
• 92% of employees state that workplace training positively impacts their engagement and commitment to their roles (Source: Axonify's "State of Workplace Training" study).

High Return on Investment from Security Awareness Programs

• Investing in cyber security awareness training for employees transcends mere expenditure; it is a strategic investment yielding more than triple the return. With potential losses amounting to $177,708 being saved, these programs demonstrate a significant return on investment. This impressive ROI underscores the financial advantages and the crucial role these programs play in bolstering an organization's cybersecurity defenses.
• 70% of skills are developed informally while working, with just 10% coming from formal training initiatives (Source: Blossom Learning).

Trained Users Show Greater Caution with Phishing Links

• Behavioral Impact - users who have undergone phishing awareness training are 30% less likely to click on a phishing link. This reduction demonstrates the effectiveness of training in altering employee behavior towards more secure practices.
• A notable 68% of employees prefer to complete training at their workplace, demonstrating that on-site programs align with employee preferences (Source: Research.com).

Cybersecurity Experts Advocate for a Dual Focus on Humans and Technology

• 93% of cybersecurity experts agree that a dual focus on human and technological aspects is essential to detect and respond to cyber threats effectively. This consensus points to integrating human-focused security awareness training with technical defenses.
• 76% of employees are more likely to stay with an employer that provides continuous training opportunities, emphasizing the importance of fostering a culture of learning (Source: SHRM).

Efforts to Measure the Effectiveness of Security Awareness Training Programs Often Face Challenges

• While the main goal for a significant majority (84%) of these programs is to bring about measurable changes in employee behavior, less than half (43%) consistently track these behavioral shifts.
• Providing meaningful development opportunities, such as security awareness training, can greatly improve employee retention, with 94% stating they would stay longer at organizations investing in their development (Source: LinkedIn Learning Report).

The Challenge of Reporting Phishing Emails

Only 3% of users report phishing emails to their management. This low reporting rate highlights a critical area for security awareness training in response processes.

Traditional Security Awareness is Dead!

Despite 70% of individuals recognizing the risks of unknown links in emails, many click on them anyway. This gap between knowledge and action points to more effective awareness training focusing on building a security culture.

Employee Vulnerability to Phishing Websites

1 in 8 employees shares information with phishing websites. This statistic reveals a significant vulnerability that can be mitigated through comprehensive and regular phishing awareness training.

Significant Reduction in Security Incidents with Regular Training

Companies that consistently engage in security awareness training experience a remarkable 70% reduction in security incidents. This statistic strongly advocates for regularly implementing security training programs within organizations.

Enhanced Phishing Awareness Through Training

Security awareness training has been shown to improve phishing awareness by an estimated 40%. This enhancement in recognizing phishing attempts is crucial in the current landscape of cyber threats.

Lack of Security Training in Many Organizations

45% of employees report receiving no security training whatsoever from their employers. This statistic highlights a significant oversight in many organizations' approach to cybersecurity.

Anti-Phishing Training: Not as Widespread as Expected

Only about half (52%) of organizations conduct anti-phishing training. The prevalence of phishing attacks points to a need for more widespread training initiatives in this area.

Ransomware-Focused Security Training: Still Not a Standard Practice

Over 30% of organizations offer ransomware-focused security training. This low percentage is concerning, considering the growing threat of ransomware attacks in the digital landscape.

The best mitigation strategy is to stop ransomware is to invest in heavy malware defense mechanisms and train their employees accordingly to spot threat patterns according to G2.

Social Engineering Training: Not Yet a Common Practice

Only a quarter of companies provide their employees with training in social engineering. This form of training is crucial for helping employees recognize and respond to more subtle and manipulative cyber threats.

Basic Email Security Training: A Neglected Necessity

• 55% of companies need to provide even basic email security training. This lack of fundamental training leaves many employees vulnerable to common email-based threats.
• Organizations that provide the necessary training see a 17% productivity increase as employees become more equipped to address challenges (Source: Gallup’s State of the Global Workplace report).
• Learning Management Systems (LMS) are utilized by 40% of Fortune 500 companies to deliver effective employee training, including critical programs like security awareness training, helping organizations maintain a competitive advantage (Source: Finances Online).
• With skills evolving rapidly—25% since 2015 and expected to shift by 50% by 2027—upskilling in areas like security awareness training is essential, as 89% of Learning and Development professionals emphasize its importance for future readiness (Source: LinkedIn).

Insufficient Security Awareness Training in Most Companies

62% of companies lack security awareness training to reap significant benefits. This indicates a widespread issue where the frequency or quality of training is inadequate to mitigate cyber risks effectively.

Additional Security Awareness Training Statistics 2025

• Only 7.5% of organizations report having adaptive training programs based on regular security awareness test results.
• Nearly a fifth (18%) of employees have never received cybersecurity training.
• 67% of decision makers say employees lack basic security awareness.
• 49% of US senior tech leaders rely on employee quiz results to measure training effectiveness.
• 39.3% of employees reported that the IT security awareness training provided by their organizations is not up-to-date, particularly concerning the capabilities needed to combat AI-powered cyberattacks.
• 45% of IT leaders recommend ongoing security training to strengthen employee password practices and overall awareness.
• 31% of organizations reported that human resource constraints kept them from rolling out security awareness and training programs.
• 41% of US senior technology leaders say IT provides occasional input in developing or selecting security training material.
• 62% of organizations expect employees to be targeted by more cyberattacks in the future due to the malicious use of AI by threat actors.
• 37% of security professionals cite insufficient employee training and awareness as the largest perceived driver of insider threat activity.
• Only 10% of employees are responsible for nearly three-quarters (73%) of all risky behavior.
• 34% of decision-makers believe that dedicating 1.1 to 2 hours is a sufficient amount of time for employees to spend on security awareness and training.
• 51% of employees have not received any training on how to avoid phishing scams.
• Over half of IT professionals (52.3%) said that users tend to ignore or delete identified email threats without properly reporting them.
• 71% of new hires are more likely to click on phishing links within their first 90 days of employment.
• New hires were 45% more likely than experienced staff to click on phishing emails that impersonated the CEO.
• Employees under tight deadlines are three times more likely to click phishing emails.
• 53% of US senior tech leaders say employees are the least prepared to handle phishing threats.
• Identity-driven attacks have increased by a staggering 156% between 2024 and Q1 2025.
• Identity-based attacks accounted for 60% of all Incident Response (IR) cases.
• 68% of IT managers say employee motivation is the biggest challenge in remediating at-risk credentials.
• Over a third (36%) of employees using personal devices for work admitted to postponing security updates.
• Phishing attempts account for almost two-thirds of identity-related incidents.
• 28% of IT leaders cited compromised credentials as the leading cause of insider threats.
• Compromised privileged identities accounted for 33% of security incidents in 2024.
• 90% of identity breaches are caused by phishing or credential stuffing.
• 20% of identity compromises are attributed to cloud applications and APIs.
• 21% of employees intentionally accessed data through unauthorized devices.
• 55% of incidents originate from negligent or mistaken insiders, costing organizations $8.8M annually.
• There has been a 28% average increase in the number of insider-driven events since 2021.
• 91% of information security leaders believe employees are likely to exfiltrate corporate data by accessing cloud systems.
• 70% of cybersecurity professionals are concerned about insider risks in hybrid work environments.
• Studies show that ongoing security awareness training can reduce the risk of employee-driven cyber incidents by up to 72%.
• Organizations that implement a security awareness program see a significant drop in phishing susceptibility. 90 days of training can reduce risk by over 40%.
• 89% of security leaders report improvements to their organization’s security posture after implementing security awareness and training.
• Effective security awareness training reduces the likelihood of a breach by 65%.

The Importance of Security Awareness Training for a Strong Security Culture

Global experts concur that establishing a robust security culture is essential for any organization aiming to minimize insider risks, stop cyberattacks, and prevent data breaches. The UK Centre for the Protection of National Infrastructure highlights several key benefits of a strong security culture:

• Engaged and Responsible Workforce: Employees are more likely to engage with and take responsibility for security issues.
• Enhanced Compliance with Security Measures: There's an increase in adherence to protective security protocols.
• Lower Risk of Insider Incidents: A strong security culture significantly reduces the likelihood of incidents caused by insiders.
• Heightened Awareness of Security Threats: Employees become more aware of the most pertinent security threats.
• Security-Conscious Behavior: A culture that promotes security awareness leads to employees thinking and acting with a security-first mindset.

An educated workforce is the cornerstone of a strong security culture. Employees who are well-informed about potential threats serve as a vital defense against cybercrime.

Equally important is knowing how to react to a security issue. The organization's security is enhanced when employees understand the correct action in response to a problem or mistake. I

n a healthy security culture, employees feel empowered and confident to contribute actively to maintaining and improving security, thanks to their understanding of security risks.

Here are five indicators of a healthy security culture:

• Positive Approach to Training: Security awareness training is never used as punishment.
• Inclusive Security Team: Every employee understands their role and value within the security team.
• Ongoing Risk Identification Training: Regular training sessions help employees identify potential risks.
• Supportive Environment for Queries: Employees are encouraged to seek help when uncertain about a security issue.
• Strict Adherence to Security Procedures: Security protocols are followed consistently, with no tolerance for non-compliance.

These elements are crucial in fostering a security culture that protects the organization and empowers its employees to be proactive and responsible in their approach to cybersecurity.

Check out our YouTube demonstration to discover how our cyber security awareness training proficiency can equip your team with the skills to identify and react to phishing threats effectively.

Editor's Note: This article was updated on November 12, 2025.