Notifications
Clear all
Topic starter
27/06/2026 2:06 pm
TL;DR: Legacy security awareness training fails when employees share answers, skip modules, and tune out simulations, even though 99% of organisations saw incidents tied to preventable user actions in 2024 and 60% of breaches involved the human element, according to Abnormal AI. The practical shift is from completion metrics to measurable behaviour change, threat recognition, and timely feedback that fits how people actually work.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on AI-powered security awareness training and measurable behaviour change
By the numbers:
- In 2024, 99% of organizations had a security incident tied to preventable user actions.
- 60% of breaches involved the human element.
Questions worth separating out
Q: How should security teams measure whether security awareness training is working?
A: Measure whether the programme changes user behaviour, not whether people completed a module.
Q: Why do static phishing simulations stop reducing human risk?
A: Static simulations become predictable, so users learn the pattern rather than the security lesson.
Q: When should organisations move from completion-based SAT to behaviour-based training?
A: They should make the shift when module completion is high but user-driven incidents still occur, or when phishing susceptibility remains flat after repeated campaigns.
Practitioner guidance
- Replace annual-only training with adaptive workflows Use current phishing attempts, recent incidents, and role-specific scenarios so training reflects the threats employees actually see.
- Measure behaviour, not attendance Track click-through reduction, report rates, and threat recognition over time instead of relying on module completion.
- Deliver coaching at the moment of action Send immediate feedback inside the inbox or other primary work channel so users connect the lesson to the behaviour.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- How AI-assisted awareness platforms turn live phishing attempts into feedback loops that update user behaviour.
- How role-specific training can be tuned to different risk groups without relying on one-size-fits-all simulations.
- How practitioners can compare completion metrics with behavioural indicators such as click-through reduction and report rates.
- How the vendor frames operational scalability for teams managing awareness at enterprise volume.
👉 Read Abnormal AI's analysis of behaviour-based security awareness training →
Security awareness training is changing, but what really reduces human risk?
Explore further
27/06/2026 3:42 pm
Static SAT is a measurement problem before it is a content problem: Compliance-driven training assumes that completion equals resilience, but the article shows that employees can satisfy the programme while still behaving unsafely. That breaks the governance premise behind annual training cycles, because the programme records attendance rather than reduced exposure. The implication is that security awareness must be governed as a behavioural control, not a checkbox exercise.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: How do security teams connect awareness training to broader identity governance?
A: Treat awareness data as one input into identity governance alongside access reviews, exception handling, and incident trends. That lets teams see whether risky behaviour is concentrated in specific roles, processes, or business units and adjust training with the same discipline used for access controls.
👉 Read our full editorial: AI-powered security awareness training shifts focus from compliance
