The 2025 Security Awareness and Training Global Research Report released by Fortinet shows security awareness training is rapidly evolving from a routine compliance exercise into a measurable control for reducing cyber risk. The report, based on responses from 1,850 senior IT and security decision-makers across 29 countries including India, indicates that while organisations are making progress in strengthening cyber resilience, significant gaps remain in employee readiness, training completion, and consistency of security practices.
Here are the most important takeaways for security and risk leaders.
AI is raising awareness, but employee readiness is still uneven
AI-driven threats have changed how employees and leaders think about cybersecurity. Nearly nine in 10 organisations say attackers’ use of AI has increased employee awareness of why security training matters. But awareness is not the same as readiness. Only about 40% of leaders say their employees are truly prepared to identify, avoid, and report AI-based cyberthreats.
Most organisations are responding by training employees on the proper use of generative AI (GenAI) tools, monitoring or restricting sensitive data sharing, and implementing formal AI security policies. Nearly all respondents say they already have, or are actively implementing, security policies for AI and large language model (LLM) tools. The direction is clear. The gap is execution and consistency.
External threats still drive adoption, but insider risk is rising fast
External threats, past breaches, and industry incidents remain the top reasons organisations invest in security awareness training. More than 40% of respondents cite these factors as the primary driver. What has changed is the rise in concern about internal risk. More than a quarter of organisations now point to insider risk as a reason for adopting training, a sharp increase from last year.
Training priorities reflect this shift. While data security and data privacy remain the top topics, AI-based tools and threats aren’t close behind. This alignment matters. It shows that organisations are starting to connect real-world risk with what employees are taught, rather than treating training as generic compliance content.
Security awareness training reduces incidents, and organisations can prove it
One of the strongest findings in the report is that training works. Sixty-seven percent of organisations report moderate or significant reductions in intrusions, incidents, and breaches after implementing security awareness and training.
Measurement practices are also maturing. The most common indicators include reduced security incidents, employee feedback, and security audits. Many organisations now combine in-person and computer-based training with simulations, assessments, and ongoing reinforcement. This reflects a shift away from one-time training toward programs designed to change behaviour and reduce risk over time.
Completion rates and consistency remain the weak points
Despite better measurement and better results, most organisations still struggle with follow-through. Only a small percentage report full training completion. At the same time, nearly seven in 10 leaders say employees still lack sufficient security awareness.
This helps explain the gap between investment and outcomes. Training that is not completed, not reinforced, or not kept current as the threat landscape changes cannot deliver its full value. The report points to practical improvements: shorter and more frequent training modules, clearer accountability for completion, better alignment between content and current threats, and visible leadership support. Additionally, the need for regular micro training is becoming more important to keep up with the advancements in AI.
Security awareness is becoming cultural, not just procedural
Most leaders now see security awareness as a shared responsibility across the organisation, not just an IT or security function. Nearly all are also open to using policy to manage high-risk behaviour, especially when it is paired with training that explains the rationale behind those policies.
This is an important shift. Effective security awareness training is not just about passing a test. It is about shaping daily decisions, reinforcing good behaviour, and reducing risk where work actually happens.
What this means for 2026 and beyond
The data is straightforward. Security awareness training reduces incidents. And organisations that invest in it and measure it see real results. But AI is accelerating both attacker capabilities and business adoption. At the same time, insider risk is growing. And too many programs still lose impact because of low completion rates or outdated content. To be effective, training has to be continuous, relevant, and treated as a core risk management control, not a side project.
“India’s rapid digitisation is transforming industries, government services, and everyday life. However, as organisations adopt cloud, AI, and digital platforms at scale, the human element remains one of the most critical factors in cybersecurity. Security awareness and training represent the first line of defence against many cyber threats, particularly those that rely on social engineering and human error. When employees are equipped to recognise suspicious activity and respond appropriately, organisations significantly reduce their risk exposure. As organisations adopt AI and other emerging technologies, building a cyber-aware workforce through continuous training will be essential to safeguarding India’s digital future,” said Vishak Raman, Vice President of Sales, India, SAARC, SEA & ANZ at Fortinet.