A new era of increasingly destructive cyberthreats means companies can no longer rely on traditional compliance-based cybersecurity awareness training.
For the fifth year in a row, the Allianz Risk Barometer found that cyber incidents constitute the top global business risk—and by a “higher margin than ever before.” Researchers report that cyber incidents are the “risk of greatest concern across a broad range of industries,” as well as companies of all sizes. This isn’t just because cyberattacks are extremely costly in terms of their immediate damage and downtime, legal and regulatory scrutiny, and reputational harm. It’s also because cyberattacks have become more difficult to repel.
Cyberattacks have been supercharged in recent years. Rapidly improving AI systems make it much easier for bad actors to launch sophisticated cyberattacks that infiltrate secure systems, disrupt operations, and steal highly sensitive data. Meanwhile, cybercriminal tactics have pivoted to keep pace with technological developments.
Verizon’s Data Breach Investigations Report has long held that the majority of breaches involve some sort of human error. Social engineering was already the weapon of choice for many cybercriminals, and it is now possible to launch advanced multi-stage cyberattacks with AI tools like large language models (LLMs) and deepfakes. Given the human element’s prominence in successful breaches, the evolution of social engineering is a particularly urgent threat.
This new era of cyberthreats demands a more robust, comprehensive, and accountable approach to human-based cybersecurity to counter social engineering as the primary attack vector. Companies can no longer rely on traditional cybersecurity awareness training oriented around check-the-box compliance exercises. Instead, they need security awareness training programs that actually change behavior and manage human risk.
The rising costs of social engineering demand better solutions
With intensifying public and regulatory pressure over issues like customer data security and the integrity of digital infrastructure, compliance has become a top focus. But a compliance-first approach to the persistent threat of social engineering-based cyberattacks creates incentives for check-the-box training that doesn’t actually improve the company’s security posture. CISOs can’t afford to implement cybersecurity programs that are mainly concerned with reducing legal liability and conforming to minimum regulatory or insurance standards. They must instead develop an approach to human risk management that relies on effective cybersecurity awareness training and actually improves security outcomes.
The latest IBM Cost of a Data Breach Report found that the average financial impact of a data breach in the United States surged to an all-time high of $10.22 million in 2025. IBM also reports that phishing remains the top initial attack vector, a stark reminder that cybercriminals are exploiting human vulnerabilities to inflict ever-greater damage. The 2025 Verizon Data Breach Investigations Report found that 60 percent of breaches involved a human being at some stage—an alarming figure that underlines the importance of effective cybersecurity awareness training as part of a human risk management program. Beyond the magnitude of the threat posed by social engineering, the latest data clearly indicate that employees remain a weak security link in too many organizations.
But this doesn’t have to be the case. While it’s true that social engineering attacks remain disturbingly successful at manipulating their victims, this reality presents a huge opportunity for CISOs. By ditching reactive, compliance-based exercises for a proactive approach to cybersecurity awareness training and human risk management, CISOs can turn one of the company’s most pressing security liabilities into a dynamic and resilient security layer.
Building support for awareness training and managing human risk
There has never been an easier time for CISOs to make a case for effective security awareness training and human risk management to their leadership teams and boards. One vital component of this case is clearly demonstrating the stakes by citing the data covered above: cyberattacks are the top business risk companies face, the costs incurred continue to rise, and trends in AI and cybercriminal tactics suggest that this risk is only becoming more dangerous. Everyone needs to stop going through the motions and implement programs that work.
Compliance-based exercises are often based on a one-size-fits-all educational model that treats diverse employees as if they’re all the same. This model fails to account for different emotional susceptibilities, learning styles, and roles within the organization. By personalizing cybersecurity awareness training, CISOs will be able to target specific emotional and cognitive vulnerabilities which vary from person to person. This won’t just improve learning outcomes—it will also more effectively change people’s security behavior.
Gallup reports that less than a quarter of employees who have taken part in compliance training rate it as “excellent,” while just 11 percent say their coworkers apply what they learn on a daily basis. Given the stakes, this is a status quo that CISOs should refuse to accept when it comes to security awareness training. By emphasizing measurable outcomes on an individual basis, CISOs will have visibility into which interventions are working as well as a compelling story for their fellow company leaders.
Ditching compliance exercises for real cybersecurity awareness training
Cybersecurity awareness training is among the most cost-effective ways to address the biggest risks your company faces. First, it focuses on the primary tactic bad actors use (social engineering), which means CISOs can turn a major security weakness into a strength. Second, it’s highly dynamic—consistent awareness training should constantly be updated to keep pace with rapidly emerging threats like AI-powered phishing. And third, it provides real-time visibility into the organization’s security gaps and the progress toward closing them. Verizon researchers cited a study finding that the rate of suspected phish reporting jumped fourfold among employees who had received training over the previous month, indicating that annual exercises aren’t nearly as effective at producing security outcomes.
AI is fueling a new generation of social engineering attacks. According to IBM, generative AI has slashed the time it takes for a bad actor to create a convincing phishing email from 16 hours to five minutes. Microsoft reports that bad actors have moved from “simple phishing” to sophisticated “multi-stage attack chains” that rely on AI. And IBM found that a voice call makes employees three times more likely to fall for a phishing scheme. It’s no wonder that the second-most pressing business risk in the Allianz barometer is Artificial Intelligence. Employees can’t rely on typical red flags like spelling errors or broken links in phishing messages anymore. They must be capable of analyzing the tone and context of messages, and they must be prepared for persistent multilayered phishing attacks that seek to manipulate them.
Quarterly or annual security compliance training is far too sluggish and ineffective to help companies navigate this increasingly treacherous cyberthreat landscape. Traditional compliance exercises alienate employees and fail to keep them engaged, which is why CISOs must provide high-quality content that sustains their focus. Cybersecurity content should be narrative-driven, personalized, and built around real-world cyberthreats. Employees view typical compliance training as cumbersome and frustrating, and it’s the CISO’s job to provide content that doesn’t fall into this trap.
At a time when cyberattacks are the main global business risk and most of these attacks exploit the human element, CISOs must recognize that effective cybersecurity awareness training has never been more crucial for protecting their organization. This means moving beyond compliance and implementing a cybersecurity awareness training program capable of driving real behavioral change at every level of the company.
About the Author
Matt Lindley is the Chief Innovation & Information Security Officer at NINJIO, a cybersecurity awareness training and human risk management platform. With more than a decade and a half of experience as a cybersecurity analyst and practitioner, Matt focuses on helping organizations reduce risk by strengthening the human layer—translating emerging threats, social engineering tactics, compliance realities, and security transformation challenges into programs that drive measurable behavior change.
Additional Resources
Video Overview
Infographic
Follow Brilliance Security Magazine on LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.