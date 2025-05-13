99% of organizations experienced security incidents linked to avoidable human error, yet current training tools fall short

Abnormal AI, the leader in AI-native human behavior security, today released a new research report that highlights a stark disconnect between security awareness training (SAT) programs and their real-world effectiveness. While nearly every organization surveyed (99%) suffered a security incident tied to human error in the past year, the vast majority stated that they struggle to implement effective, scalable SAT programs that reduce this risk.

Based on a survey of over 300 security and IT leaders in the United States and United Kingdom, Abnormal's research found that SAT is widely adopted, with 75% of organizations requiring employees to complete training at least quarterly. However, many programs exist only to satisfy regulatory or insurance requirements, which results in stale content, minimal engagement, and a perception of training as "checkbox compliance."

"When SAT content is one-size-fits-all and delivered against an annual or quarterly schedule to check a box, it can feel like a chore that employees are apt to tune out-and that opens the door to costly breaches," said Mike Britton, CIO of Abnormal AI. "Attackers' most vulnerable targets are people, not systems, and reducing avoidable user actions-like clicking on a suspicious link-needs to be front and center."

Unfortunately, the amount of time and effort required to run an effective SAT program was shown to be a major blocker preventing organizations from achieving success. Eighty-three percent of respondents agreed that their current SAT tools require substantial effort to operate and maintain, with more than half (53%) agreeing that the effort required to run them outweighs their impact.

Despite widespread recognition that training can dramatically improve an organization's security posture, the reality is grim: SAT programs are currently insufficient, ineffective, or both. The good news is, organizations are prepared to act.

The report's findings highlight the potential for AI to improve both the efficiency and effectiveness of training programs in reducing human error. Nearly all of the organizations surveyed (99%) are in favor of including AI in future SAT tools and workflows, and see the value in using AI to support various functions of their programs, including to:

Automatically generate training campaigns and workflows (99%)

Automate the creation of training videos (95%)

Automatically create individualized attack simulations based on individual user profiles (95%)

Conduct conversational coaching by leveraging LLMs (95%)

Create dynamic risk scores based on past user behavior and the types of attacks targeting certain types of users (96%)

The report highlights Just-in-Time (JIT) training as an untapped opportunity in SAT. JIT training delivers education to employees at the exact moment they need it-for instance, right when they encounter a suspicious email. This dynamic, adaptive learning can be tuned to current threats and individual user behavior, with lessons that are highly relevant to real-world risks.

"To truly defend against human-centric threats, enterprises must evolve their SAT programs to be continuous, dynamic, contextual, and personalized," continued Britton. "For years, this kind of training was something security leaders might have wished for, but implementing it in the real world would have been far too labor-intensive. Now, with AI, security teams have the power to make the dream of highly effective security awareness training a reality."

