Poor training a major contributor to organizational risk, study says

Complex, lengthy, and repetitive training methods identified by employees as a blocker to learning cyber and compliance fundamentals.

A Human Risk Review by security firm SoSafe says that as innovation is creating a troubling cybersecurity landscape, the biggest threat to many organizations is poor decision-making by humans.

Over 1,000 security professionals from across Europe were surveyed, while 9,000 simulated phishing emails were sent as part of the data-gathering process.

One in two companies have experienced a successful cyberattack in the past three years, while 64% say they are at high risk of being subject to another.

Striking figures

Despite these striking figures, there seems to be uncertainty about how to develop better compliance practices within organizations. Employees complain that security training is time consuming, generic, and repetitive.

Some 81% of security professionals say phishing and emotional manipulation of employees pose a significant risk to their organization, and one in five users admit to clicking on AI-generated phishing emails crafted by ChatGPT and other AI tools.

“The emergence of more readily available generative AI tools has now brought this possibility into immediate reach. In a small study, we recently found that phishing emails can be created 40% faster with the help of ChatGPT – a foretaste of how criminals will use AI to scale their business,” says SoSafe CEO, Dr. Niklas Hellemann.


There is ongoing debate about whether cyber regulation and laws should be the responsibility of organizations or governments.

“There is a misconception that the cyberspace is unregulated, which is simply not true. There are many cyber security laws, but they are not properly enforced,” says Stéphane Duguin, CEO, CyberPeace Institute.

“There is a misconception that the cyberspace is unregulated, which is simply not true. There are many cyber security laws, but they are not properly enforced.”

Stéphane Duguin, CEO, CyberPeace Institute

But government actors can exacerbate the problem rather than helping to fix it. “When states continue to use their resources to conduct surveillance attacks, they are investing in global cyber insecurity, because for that surveillance to work, they need to ensure there are vulnerabilities in the cyberspace,” says Duguin.

Some experts are suggesting the fundamentals of data and cybersecurity are so important they should be integrated into school curriculums.

Behavioural science-led approach to training

While human error cannot be eradicated, it can be mitigated. With regards to compliance, mistakes are commonly made due to lack of awareness, training, and preparedness on the part of employees, rather than malicious intent.

But as anyone who has ever grappled with compliance policy knows, the rules can be fiendishly complicated. “The number one challenge in the cyber security industry right now is burnout: there’s too much data, too many cases, and not enough time,” says Duguin.

“I’ve never accomplished anything with policy alone. And I’ve never heard of a hacker who was scared off by a company’s security policy,” says Thomas Tschersich, CEO, Deutsche Telekom.

Imparting information

Outdated training methods are still the norm. “Many are having a hard time and keep working with traditional measures: long PowerPoint presentations, “funny” videos, or rigid, in-person seminars that aim to teach employees about this topic,” says strategy expert Dr. Katrin Suder. “But if we look at how much information we have to impart to our employees – in addition to cyber, there are topics like compliance, data protection, ESG – then we need to adopt concepts like gamification and some of the methods used in adult education. A lot of companies are still at square one in that respect.”

It’s a view shared by Christian Hunt, founder of Human Risk, who says: “There are times when we will want people to think for themselves and not just slavishly follow rules … when things go wrong, we double down on doing the same thing, such as bad training. We need to think about having the right tools for the job in order to get the right behavioural outcomes.”