Security 101: Cyber Training Still Fails Miserably
Summary
This Dark Reading Reporters Notebook roundtable — with contributors from Dark Reading, Tech Target Search Security and Cybersecurity Dive — finds that despite years of awareness drives and training, basic security habits remain weak. Organisations still cling to short, complex passwords and slow-moving controls, phishing continues to succeed (even among executives), and conventional awareness training often fails to change behaviour and can even backfire.
The discussion highlights survey data from Cybersecurity Awareness Month 2025 showing roughly 30% of orgs stick with the old eight-character complexity rules, only 17% favour passphrases, 34% use SSO and 21% deploy password vaults. Research cited shows 64% of executives have clicked phishing links and 17% didn’t report doing so. Studies going back to 2008 indicate many training models teach knowledge rather than reliably changing behaviour; shame- or fear-based approaches can create overconfidence and riskier actions.
Key Points
- Many organisations still use outdated password policies (c.30% rely on 8-character complexity rules) rather than longer passphrases.
- Adoption of mitigations like SSO (34%) and password vaults (21%) is growing but uneven.
- Phishing remains highly effective — 64% of executives admitted to clicking phishing links, and 17% failed to report it.
- AI is making phishing more convincing, escalating the attacker–defender arms race.
- Traditional annual or knowledge-focused awareness training often fails to reduce click rates and can create overconfidence.
- Behavioural approaches (embedded, snackable, non-shaming interventions) are recommended over fear-based, once-a-year sessions.
Context and relevance
Why this matters: attacks are getting smarter (AI-enhanced phishing, social engineering) while human behaviour and legacy policies remain weak links. The piece ties into wider industry trends — NIST guidance favouring passphrases, gradual SSO/password-manager uptake, and growing attention to human factors and behavioural science in security programmes.
For security leaders and practitioners, the takeaways are practical: accelerate adoption of modern authentication (passphrases, SSO, vaults), redesign training around behavioural change (embed micro-learning, avoid shaming), and treat awareness as a human-centred problem, not purely a technical checklist.
Why should I read this?
Look — this saves you time. If you want a sharp, no-nonsense update on why so many awareness programmes still flounder and what actually moves the needle, this is it. It calls out the stats, names the behaviours, and points to practical alternatives (short bursts, embedded training, behavioural design) instead of yet another boring annual slide deck. Read it if you care about stopping people being the weakest link.
Author style
Punchy: the report cuts through marketing fluff and stresses that this is a human problem as much as a technical one. If you care about real improvement, the discussion is a useful nudge to rethink training and policy.