According to Verizon’s most recent (2024) Data Breach Investigation Report, 68% of data breaches examined worldwide involve a human element. This means that, among the many contributing factors leading to an incident, there is almost always an error, a moment of inattention, a deception, or an otherwise unintentional (non-malicious) harmful action by the victim.
For years, cybersecurity professionals have repeated the mantra that the human factor is the weakest link in security. Although this is well known within the industry, turning it into a solid line of defense is arguably the greatest challenge of modern information security. But why is this so difficult?
Let’s briefly recap the situation: 68% of data breaches have a human component as one of their causes; cyberattacks increased by 27.4% in 2024 compared to the previous year (Clusit); and the average cost of a data breach rose by 10%, reaching $4.88 million (IBM).
In response, companies are investing in security awareness more than ever before. A decade ago, Gartner estimated this market might reach $1 billion; today, forecasts predict global spending will exceed $10 billion by 2027. This acceleration is driven not only by the increasing frequency of attacks but also by the potentially devastating impact of the misuse of Generative AI, which makes social-engineering attempts even more insidious.
Despite heavy investments, human error—or at least the human element—continues to play a role in cyber incidents, for at least three reasons.
A behavior reinforced over the years is far harder to correct than a software vulnerability. Errors stem from bad habits, gaps in education, workplace pressures, or simple distraction. That’s why we talk about security-awareness programs rather than mere training: the goal isn’t just to provide information, but to shape a new mindset toward information security.
Phishing and social-engineering attacks are becoming more sophisticated, tailored to corporate culture and individual employees. From this specific angle, Generative AI is challenging security experts. Attackers update their techniques at a speed that often outpaces organizations’ ability to train their staff.
Workplace pressures are constant in every organization, and attackers exploit this. In their effort to maintain or boost productivity, employees take shortcuts: they save passwords where they shouldn’t, share credentials over chat, attach confidential documents to unsecured tools (e.g., a WhatsApp group chat with colleagues), or ignore security alerts. If corporate culture internalizes cybersecurity as a strategic value, human error will remain a threat.
Many organizations treat human error as merely a training issue, thus limiting themselves to occasional courses, newsletters, targeted content, or awareness campaigns, without addressing the deeper cultural, organizational, and behavioral complexity.
Few concepts seem as straightforward as security awareness in the IT world, yet it is often misunderstood. While greater awareness clearly helps improve security posture, implementing it effectively is an extremely complex challenge.
Security awareness refers to people’s ability to recognize cyberthreats directed at them and to adopt virtuous behaviors to prevent or manage them. It’s not just about avoiding suspicious links or using strong passwords, but about constantly operating with a security-oriented mindset.
The goal of security awareness is not merely to inform, but to change behaviors around tools, IT systems, and data. It’s about creating a culture in which security isn’t delegated solely to the IT department, but is a shared value across the entire organization.
Building a security-awareness program requires far more than a good idea and educational content. It demands solid foundations, strategic vision, and conscious change management. Here are the three fundamental prerequisites.
Without strong, genuine involvement from top management, a security-awareness program is unlikely to have a lasting impact. Leadership must be the first to believe—and ideally to demonstrate—that security is a strategic priority and everyone’s responsibility, not just the antivirus or firewall team’s. This means staying engaged, supporting communications, and setting the example.
Awareness is built over time; it’s not a temporary project or a throwaway line item in the IT budget. Yet too often, organizations plan a program for one year—perhaps funded with whatever remains after investing in infrastructure or protective tools—and then drop it the next year.
Attackers don’t take breaks, and every gap in activity weakens an organization’s resilience. If nothing severe happens during a period of silence, it becomes even harder to justify restarting the initiative the following year. Continuity is the only way to build habits and keep attention high.
Embedding security into day-to-day processes sometimes means revising procedures and reworking established workflows. It isn’t simple, and it may not be painless. It requires careful planning: communicating the value of what’s being done, explaining how and why certain practices must change, and designing new processes that don’t slow productivity or hinder results.
How do you build an effective security-awareness program? In this context, “tools” aren’t just technology platforms but a comprehensive toolkit: an integrated set of resources, methods, technologies, and content that enable a robust, long-lasting journey.
Although security awareness and training are not the same, formal training remains a key element of any program.
Rather than relying on hard-to-organize classroom sessions, modern platforms focus on short, self-service content designed to be effective in just a few minutes: videos, micro-learning modules, quizzes, infographics. The important thing is that they be accessible, targeted, and contextual. That said, there’s still value in occasional in-person sessions for program launches or major updates.
When well designed, gamification strengthens recall, builds solid concepts, boosts engagement, and creates a continuous assessment system for awareness levels. It isn’t a competition, but a compelling way to measure progress and encourage constructive comparison. Badges, leaderboards, and interactive quizzes—all contribute to keeping interest high.
Advanced security-awareness platforms also offer simulations to assess employees’ knowledge and awareness. This is one of the most concrete and useful tools, because it tests people in a realistic but controlled scenario. Platforms send custom phishing messages (via email, or even phone—leveraging Generative AI) to measure reactions, identify weak points, and intervene with targeted training.
Data collected through tests, simulations, and interactions should—and must—drive the design of subsequent activities, customizing them as much as possible. Those who show weakness in a particular area receive additional content or dedicated sessions. Those with advanced profiles can become internal ambassadors.
Less technical tools—such as newsletters, internal messages, posts on enterprise social platforms, or reminders at key moments—also form part of the best awareness programs’ toolkit. As mentioned, the key is continuity.