Cybersecurity Awareness Month was introduced in October 2004 by the U.S. Department of Homeland Security and the National Cybersecurity Alliance. Its initial guidance, which covered simple security tasks — such as updating antivirus twice a year, just as you would change the batteries in your smoke alarms at daylight saving time — evolved into a month of best practices and advice for consumers, businesses and governments alike.
While often mocked or ridiculed — yes, people still fall for the same phishing scams they did years ago, and yes, cybersecurity awareness training can be a drag — the underpinning notions that cybersecurity is critical, and individuals and businesses must do their share to stay safe from cyberthreats are no joke.
This week’s featured news looks at the latest in enterprise cybersecurity awareness — for better and worse.
Traditional cybersecurity training fails to thwart phishing attacks
Despite decades of investment in cybersecurity awareness training, recent research revealed these programs are largely ineffective and sometimes counterproductive.
A comprehensive review of studies since 2008 found that common training methods — including annual webinars and embedded lessons after failed phishing tests — do not significantly reduce employees’ susceptibility to attacks.
Researchers from the University of Chicago and University of California, San Diego found “no evidence that annual security awareness training correlates with reduced phishing failures,” while ETH Zurich studies showed embedded training can make employees overconfident and more vulnerable.
Additional research indicated that knowledge alone doesn’t translate to behavioral change, with training effects disappearing within six months.
Read the full story by Eric Geller on Cybersecurity Dive.
Cybersecurity training should focus on behavioral change
Most cyberattacks succeed by targeting end users through social engineering or exploiting human errors, making traditional security awareness training insufficient.
Leading organizations are shifting from basic awareness programs to human risk management models that drive actual behavioral change. Effective programs now employ seven key practices:
- Using the COM-B psychological model — capabilities, opportunities, motivation — to design training.
- Teaching users to activate “slow thinking” reflexes when under pressure.
- Delivering bite-sized, scenario-based nudges that mirror real-world attacks.
- Measuring meaningful metrics beyond simple click rates.
- Using gamification carefully and deliberately.
- Emphasizing positive reinforcement over punishment.
- Hiring psychology and behavioral science experts to design curricula.
This approach transforms employees from the weakest security link into the first line of defense by creating lasting behavioral changes rather than just temporary awareness.
Read the full story by Ericka Chickowski on Dark Reading.
From hacker to educator: Nigerian youth transforms security landscape
Aliyu Ibrahim Usman began hacking at the age of 14 but concealed his skills due to negative perceptions of hacking in Nigeria. At 19, he founded the Cyber Cadet Academy to train university students and professionals in cybersecurity careers. Now 23, Usman organized Nigeria’s inaugural BSides cybersecurity conference in Kano, bringing together stakeholders including police, government agencies and students.
Driven by concerns about online child safety and widespread cybersecurity issues, he teaches up to 20 students at his registered academy. His vision is to make the academy Africa’s leading cybersecurity training institute, with plans to expand and train students as future staff members.
Read the full story by Arielle Waldman on Dark Reading.
IT leaders fall victim to phishing — and some keep it a secret
A survey of 1,700 IT professionals by cybersecurity vendor Arctic Wolf reported that nearly 70% of IT leaders have been targeted by cyberattacks, with 39% experiencing phishing, 35% malware and 31% social engineering attacks.
Most concerning is that 64% of senior executives admitted to clicking on phishing links, and 17% of them never reported doing so. Researchers suggested this might be out of fear of punishment or termination.
Read the full story by Eric Geller on Cybersecurity Dive.
AI-powered social engineering targets corporate executives
Attackers are increasingly using sophisticated AI technologies, such as deepfake videos and voice cloning, to conduct social engineering attacks against corporate executives and high-profile targets.
According to cybersecurity vendor Palo Alto Networks, social engineering was the leading attack vector in 36% of incident response cases from May 2024 to May 2025, with two-thirds targeting privileged or executive accounts. In a separate report, the Ponemon Institute reported that about 40% of executives have experienced deepfake attacks.
To combat these evolving threats, experts recommended limiting information shared on social media, using phishing-resistant MFA and implementing out-of-band verification methods.
Read the full story by David Jones on Cybersecurity Dive.
More on cybersecurity awareness training
Check out these resources for cybersecurity advice and best practices:
Editor’s note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.
Sharon Shea is executive editor of Informa TechTarget’s SearchSecurity site.
