The State of Human Risk: Security Awareness Evolves

The need to address human risk inside today’s organizations is the overwhelming top priority for cybersecurity teams in 2025. It is also the main theme of Mimecast’s recently released ninth annual report on the state of the industry, this year aptly titled The State of Human Risk 2025              .

Each year, Mimecast conducts a survey of CISOs and other cybersecurity professionals to gain an understanding of the problems they are facing and the issues that are their priority for the coming year. For 2025’s report, we surveyed 1,100 IT security and IT decision makers from the United States, United Kingdom, France, Germany, South Africa, and Australia. A range of private and public sectors were covered, including healthcare, retail, finance, manufacturing, and utilities.

Security Awareness Evolves

Security awareness remains a cornerstone of modern cybersecurity. It equips employees to identify and respond to threats while reducing risks like data breaches. By addressing most significant vulnerability – the human element – security awareness training empowers users to safeguard digital assets through a clear understanding of security protocols and by identifying malicious activity.

And while most organizations have already recognized the importance and the benefits of security awareness training, at this point in the game, a more innovative approach to traditional security awareness training is needed. Organizations should still maintain their standard security awareness training for all users but should also be focusing additional training on the users who face higher risk.

Leveraging personalized risk insights, such as tailoring content for individuals identified as high-risk based on data-driven testing, enhances the effectiveness and relevance of the training.

Human Risk Management Platforms

The next evolution in security awareness can be obtained by deploying a human risk management platform. HRM platforms provide real-time insights into employee behavior and risk levels. They allow organizations to target training where it’s most needed. By showing measurable improvements in behavior and identifying areas where gaps remain, HRM tools can quantify effectiveness and guarantee actual impact.              

Recognizing that a one-size-fits-all approach fails in the context of security awareness is essential to the success of security awareness training programs. Focusing resources on employees whose behavior suggests the highest risk is critical to your training program’s success. The ability of your HRM platform to provide continuous feedback loops, demonstrate progress, and pinpoint weaknesses helps build a culture of proactive cybersecurity, which is equally important.

Security Awareness Survey Results

The results of our survey demonstrate the wide use of traditional security awareness training programs with 87% of respondents saying their organization trains its employees to spot cyberattacks at least once a quarter. While that may spell good news, 33% of respondents still fear mistakes and human error in handling of email threats by employees, 27% still fear employee fatigue is causing lapses in vigilance, and 43% have seen an increase in internal threats or data leaks initiated by compromised, careless, or negligent employees in the last 12 months. Additionally, a full two-thirds are concerned that data loss from insiders will increase at their organization in the next 12 months.

The Bottom Line

While we are seeing great improvement in the actual deployment of regular security awareness training programs across the organizations we surveyed, today’s cybercriminals and the threat they pose, must be further addressed by providing focused additional training for the users that are most at risk. A human risk management platform can give security teams the insight they need to determine which users should be receiving this additional training. Learn more by reading the full State of Human Risk 2025 report.