Table of Contents
Part I: The Million-Dollar Mistake: My Ordeal with “Best Practice” Security Training
A. The Opening Scene: The Anatomy of a Failure
The alert came in at 2:17 AM on a Tuesday.
It wasn’t the frantic, blaring alarm of a system outage, but something far more sinister: a quiet, persistent signal of anomalous data exfiltration.
As a security leader with over a decade of experience, I’d built my career on process, preparation, and what I believed were industry best practices.
We had state-of-the-art firewalls, advanced endpoint detection, and a meticulously documented security program.
Most importantly, we had just closed the books on our annual security awareness training.
The dashboard showed a perfect score: 100% completion across all 1,300 employees.1
We had checked every box.
We were, by all traditional measures, secure.
The next 72 hours were a blur of forensic analysis, crisis calls, and the slow, dawning horror of realization.
A sophisticated ransomware attack had not only encrypted our critical servers but had also siphoned off gigabytes of sensitive customer data and proprietary intellectual property.
The post-mortem was brutal and swift.
The entry point wasn’t a zero-day exploit or a flaw in our infrastructure.
It was an email.
A cleverly crafted phishing message that mimicked an internal invoice request was sent to a mid-level employee in the finance department.
That employee, who had completed their mandatory training just three weeks prior, clicked the malicious link.
That single click was the start of a cascade failure that would cost the company millions.
It was a devastating lesson in a truth that the cybersecurity industry often prefers to whisper: compliance is not security.
Our perfect training score was a vanity metric, a hollow achievement that provided a dangerously false sense of protection.
This incident wasn’t just a technical failure; it was a catastrophic failure of our entire philosophy on human risk.
It forced me to question everything I thought I knew about building a secure organization and sent me on a journey to find a better Way. My experience, it turns out, is tragically common.
The human element is consistently implicated in the vast majority of data breaches, with some reports attributing over 82% of incidents to human-related weaknesses.2
My company’s story was just one more data point in a mountain of evidence proving that our conventional approach was fundamentally broken.
B. The “Compliance Theater”: Why Our Perfect Score Meant Nothing
In the aftermath, I became obsessed with a single question: How could we have a 100% trained workforce and still be so vulnerable? The answer lay in the very nature of the system we had built.
We weren’t running a security program; we were staging what can only be described as “compliance theater”.4
Our primary objective, whether we admitted it or not, was to satisfy the mandates of auditors and regulators.
Our training program was designed to produce artifacts for compliance frameworks like the Federal Information Security Management Act (FISMA), HIPAA, or GDPR, not to genuinely change human behavior.1
Success was measured by completion rates and quiz scores—metrics that looked great on a report but had no correlation with real-world risk reduction.4
This “check-the-box” philosophy created a self-defeating cycle.7
To ensure auditable proof of compliance, we adopted standardized, annual modules.
Because this training had to be delivered to everyone, from the CEO to the summer intern, the content was generic and bland by necessity.
For our employees, this mandatory training was not a learning opportunity but a tedious chore—an annual interruption to their “real work” that had to be clicked through as quickly as possible.4
Motivation was driven by the stick of a compliance deadline, not the carrot of genuine understanding or skill acquisition.9
The psychological impact of this approach is profoundly damaging.
The core issue is a principle known as the “forgetting curve,” first identified by psychologist Hermann Ebbinghaus.
It demonstrates that memory fades over time, with the steepest drop in retention occurring almost immediately after learning.7
When security training is a one-off annual event, employees are likely to forget the vast majority of what they learned within weeks, if not days.
Critical details about spotting sophisticated phishing attacks or handling sensitive data never have the chance to move from short-term memory to ingrained habit.
Even more insidiously, this model can create a phenomenon called “moral licensing”.4
By completing the mandatory training, employees feel they have “done their part” for security.
This sense of accomplishment can paradoxically make them
less vigilant.
Having checked the box, they may feel psychologically licensed to take shortcuts or be less cautious in their daily work, believing they are “covered” for the next twelve months.
In this light, our 100% completion rate wasn’t just meaningless; it may have actively contributed to a culture of complacency, creating a hidden psychological vulnerability beneath a veneer of compliance.
Our attempts to enforce vigilance through punitive measures, such as singling out employees who failed phishing tests, only made things worse.
This approach bred fear and resentment, discouraging people from reporting mistakes and creating an adversarial relationship between the security team and the very people we needed to empower.10
C. The True Cost of a Flawed Model
The initial ransomware payment was only the beginning of our financial hemorrhage.
The true cost of our flawed security model unfolded over months and years, a testament to the long tail of a major breach.
Industry data paints a grim picture that aligns perfectly with our experience.
The average cost of a data breach in the United States has soared past $8 million, with some reports placing it as high as $9.4 million.3
These are not one-time costs.
Studies show that while about two-thirds of breach-related expenses are incurred in the first year, a significant portion continues to drain resources for years afterward.11
Beyond the direct financial losses from remediation, legal fees, and regulatory fines for negligence, the damage to our intangible assets was immense.11
We lost invaluable intellectual property—trade secrets and product roadmaps that were the lifeblood of our competitive advantage.
But the most enduring damage was to our reputation.
Trust is the currency of modern business; it is painstakingly built and easily shattered.
The public disclosure of our breach led to a loss of customer confidence, increased insurance premiums, and intense public scrutiny.11
We learned the hard way that a press release assuring customers that “we take cybersecurity seriously” does little to mend a broken reputation.
We weren’t just a company that had been hacked; we were a company that had failed to protect its people and its partners, and that stigma was the most difficult cost to bear.
Part II: The Gardener’s Epiphany: Why We Were Watering Rocks
A. The Moment of Reframing
In the weeks following the breach, I was consumed by a search for answers, poring over after-action reports and industry analyses.
The breakthrough didn’t come in a boardroom or from a security conference.
It came on a quiet Saturday morning in my backyard.
As I was tending to my garden—weeding, pruning, checking the soil—I was struck by a powerful analogy.
My approach to cybersecurity had been all wrong.
I was treating my organization like a concrete patio, not a living garden.
I was dumping a year’s worth of “water” (our annual training) onto it once and expecting something to grow, then acting surprised when all I had was a wet, barren slab.
A healthy garden is a complex ecosystem.
It requires understanding the unique needs of each plant—the sun-loving tomatoes are treated differently from the shade-seeking ferns.
It demands consistent, tailored care—a little water every few days, not a flood once a year.
Most importantly, it requires actively cultivating the soil itself, enriching it with nutrients to create an environment where plants can thrive.
You cannot simply water the rocks and hope for the best.
This gardening analogy became the key that unlocked a new way of thinking.
My employees weren’t uniform, inanimate objects; they were individuals with different roles, different levels of technical skill, and different risk profiles.
Our one-size-fits-all, once-a-year training was the equivalent of watering rocks.
It was a futile, wasteful exercise that ignored the fundamental principles of growth and cultivation.
I realized we didn’t need to simply find a “better” training module.
We needed to abandon the concrete-slab model entirely and become gardeners, cultivating a resilient, living ecosystem of human defense.
B. Deconstructing the Old “Blueprint”: From Security to Awareness
My epiphany sent me back to the foundational documents that shape our industry, specifically the guidelines from the National Institute of Standards and Technology (NIST).12
In publications like SP 800-16 and SP 800-50, NIST provides a strategic framework for security programs.13
There, I found a critical distinction that most organizations, including my own, were completely ignoring.
NIST separates the learning continuum into three distinct concepts: Awareness, Training, and Education.14
- Awareness is the “what.” Its goal is to change attitudes and help people recognize the importance of security. It’s delivered through posters, newsletters, and logon banners—its impact is designed to be short-term.
- Training is the “how.” Its goal is to build skills and knowledge so people can perform their duties securely. It’s taught through practical instruction, hands-on practice, and workshops.
- Education is the “why.” Its goal is to provide deep, theoretical understanding and insight, often for security professionals themselves.
The devastating realization was that our multi-million-dollar “training” program was, in fact, little more than an elaborate, high-cost “awareness” campaign.
We were telling people what the threats were—”phishing is bad,” “use strong passwords”—but we were failing to provide the practical, hands-on how in a way that built lasting skills.
Our program was stuck at the awareness level, yet we were expecting the outcomes of effective training.
It was like showing a gardener a glossy photo of a ripe tomato but never teaching them how to plant a seed, water the soil, or prune the vine.
This misalignment is the “Awareness Trap.” Organizations invest in programs that make people aware of risks but do not make them capable of defending against them.
This is because true training—skill-building—is harder, requires more frequent engagement, and is more difficult to scale in a one-size-fits-all model.
The solution, therefore, isn’t to create more posters or more frequent newsletters.
The solution is to fundamentally shift the goal from raising awareness to building measurable, resilient, and secure behaviors.
Part III: Cultivating the Human Firewall: A New Architecture for Human Risk Management
To escape the compliance trap and begin cultivating a healthy security culture, we needed a new architecture—one designed for continuous growth, not annual audits.
We called this new paradigm the “Human Firewall,” a framework built on the understanding that our people are not our weakest link, but our most critical line of defense.5
This represents a fundamental shift in philosophy, as summarized below.
| Attribute | The Old Model (Compliance Check-box) | The New Model (Human Firewall) |
| Goal | Achieve 100% compliance and pass audits. | Measurably reduce human-related risk and build a resilient security culture. |
| Frequency | Annual or semi-annual event. | Continuous, ongoing rhythm of micro-learning and reinforcement. |
| Method | Generic, one-size-fits-all videos and quizzes. | Personalized, role-based, interactive simulations and “teachable moments.” |
| Metrics | Completion rates and quiz scores. | Behavioral change (phish-prone percentage, reporting rates, time-to-report). |
| Employee Role | Potential liability; the “weakest link.” | Empowered partner; the “first line of defense.” |
| Culture | Top-down, fear-based, and punitive. | Collaborative, positive, and based on shared responsibility. |
| Outcome | False sense of security; “compliance theater.” | A demonstrably more secure organization with an adaptive human defense layer. |
This new architecture is built on five interconnected pillars, each one mirroring an essential practice of good gardening.
Pillar 1: From Annual Event to Continuous Rhythm (Consistent Watering)
A garden dies without consistent watering.
Likewise, security skills wither without continuous reinforcement.
This pillar dismantles the ineffective annual training event and replaces it with a continuous rhythm of engagement.
Security is not a topic to be “covered” once a year; it is a practice to be honed daily.7
The implementation of this pillar involves a multi-faceted approach.
Instead of a single, overwhelming multi-hour session, the program delivers frequent, bite-sized micro-learning modules that can be completed in minutes.
These are complemented by regular, randomized phishing simulations—at least monthly—that keep vigilance high.10
Crucially, this model incorporates “just-in-time” training.
When an employee clicks on a simulated phishing link, they are immediately presented with a “teachable moment” that explains the red flags they missed.15
This immediate feedback, delivered at the moment of need, is exponentially more effective at changing behavior than a quiz taken months later.
The data overwhelmingly supports this shift.
Organizations that move to a continuous model see dramatic results.
Studies show that combining monthly (or more frequent) training with weekly phishing simulations can reduce the number of employees prone to clicking malicious links by up to 96%.15
Other analyses confirm that consistent security training can reduce overall security incidents by a remarkable 70% and cut successful phishing attacks and malware infections by up to 90%.2
The proven SANS Security Awareness Maturity Model is built on this very principle, providing a clear roadmap for organizations to evolve from a basic, compliance-focused program to one that achieves long-term, sustainable culture change.19
Pillar 2: Beyond Knowledge to Behavior (Teaching How to Grow)
A gardener’s success isn’t measured by how many books they’ve read about plants, but by the health and yield of their garden.
Similarly, the goal of a security program is not for employees to memorize facts, but to internalize secure behaviors until they become second nature.21
This pillar shifts the focus from abstract knowledge transfer to practical, measurable skill-building.
The core of this pillar is the use of high-quality, realistic simulations that go beyond simple link-based phishing tests.
These exercises should include attachment-based tests (which have the highest failure rates), data-entry simulations, and even voice phishing (vishing) and SMS phishing (smishing) scenarios to reflect the evolving threat landscape.15
These simulations must not be punitive.
They are safe environments for employees to practice their skills and learn from mistakes without real-world consequences.21
The goal is to create “teachable moments,” not “gotcha” tests.15
This is supplemented with interactive training modules that require active participation, decision-making, and critical thinking, rather than passive video-watching.3
This behavioral focus demands a revolution in metrics.
We must abandon vanity metrics like completion rates and instead track meaningful behavioral indicators.
Key performance indicators (KPIs) for a Human Firewall program include the organization’s overall “phish-prone percentage” and how it trends over time, the rate at which employees report suspicious emails, and the average time it takes for an incident to be reported.9
This shift is critical.
While research shows that 84% of security programs claim their goal is to change employee behavior, a staggering 43% do not regularly monitor these changes, revealing a massive gap between intent and execution that this model is designed to close.2
Pillar 3: Personalization Over a One-Size-Fits-All Mandate (Tending to Each Plant)
A gardener knows that you cannot give a cactus the same amount of water as a fern.
In an organization, different employees face vastly different risks.
A one-size-fits-all training mandate is not only inefficient but also a primary driver of employee disengagement.7
This pillar champions personalization, tailoring security guidance to an individual’s specific role, access level, and even their past performance.
Effective implementation requires a commitment to role-based training.
The security threats and responsibilities of an executive assistant with access to sensitive calendars and communications are vastly different from those of an operational technology (OT) engineer managing industrial control systems, or a software developer handling source code.8
Each needs targeted, relevant training that speaks to the unique risks they encounter in their daily work.24
The finance team needs deep training on invoice fraud and business email compromise, while the HR team needs to be an expert on scams involving candidate data.
Beyond roles, the system itself should be adaptive.
Modern training platforms can provide targeted, remedial training to individuals who repeatedly fail phishing simulations, giving them the extra support they need to improve.23
Conversely, employees who demonstrate strong security acumen can be offered more advanced content or invited to become “security champions” within their departments.
This approach respects employees’ time and intelligence by providing relevant information.10
The opportunity here is immense; industry surveys show that only a tiny fraction of organizations—around 7.5%—currently use adaptive training that adjusts content based on employee performance, making personalization a key differentiator for mature security programs.9
Pillar 4: From Fear to Partnership (Cultivating the Soil)
The most fertile soil for a garden is rich in nutrients and free of toxins.
The foundation of a strong Human Firewall is a positive, collaborative security culture, not one poisoned by fear and resentment.
This pillar is about transforming employees from being perceived as the “weakest link” to being embraced as empowered partners and our most valuable security asset—the true “first line of defense”.5
This cultural transformation begins with abandoning punitive tactics.26
Instead of shaming employees for mistakes, the program must celebrate and reward vigilance.
A critical step is implementing a simple, one-click email reporting tool (like Proofpoint’s PhishAlarm or similar features) that makes it effortless for employees to report suspicious messages.15
When employees use this tool, their actions should be acknowledged and praised, reinforcing the behavior and creating a positive feedback loop.27
The very language of the program must change: we conduct “learning opportunities” and “practice exercises,” not “tests” or “traps”.17
To foster genuine engagement, the training must also be made personally relevant.
By emphasizing how these security skills can protect not only the company but also the employees and their families from online fraud and identity theft, the program becomes a personal benefit, not just a corporate mandate.10
This positive framing is essential for buy-in.
A punitive approach creates a culture of concealment where employees hide mistakes, whereas a partnership approach creates a culture of vigilance where they feel safe to report them.
This is especially critical given that surveys reveal over half of users currently tend to ignore or delete potential email threats without reporting them, a behavior that a positive culture can reverse.25
The data on engagement is clear: 92% of employees report that workplace training positively impacts their commitment to their roles, making a positive security culture a powerful tool for both security and employee retention.2
Pillar 5: Leadership as the Keystone (The Gardener’s Commitment)
A garden cannot thrive through neglect; it requires the gardener’s unwavering commitment.
A Human Firewall program cannot succeed as a siloed IT initiative; it requires visible, vocal, and consistent support from the highest levels of leadership.
This pillar recognizes that executive buy-in is the non-negotiable prerequisite for building a lasting security culture.
Implementation starts with the security leader building a robust business case.
The program must be framed not as a cost center, but as a strategic investment in risk reduction, regulatory compliance, and operational resilience.10
Leaders respond to data, so the case should include industry benchmarks, statistics on breach costs, and the potential return on investment from effective training.2
Once secured, that buy-in cannot be passive.
Leaders must actively champion the program.
This means participating in the training themselves, communicating its importance in all-hands meetings, and integrating security into the core values of the business.
This active sponsorship is often the missing ingredient.
Surveys show that while most leaders are “supportive,” a staggering 70% are not “vocal” in their support, leaving the security team to push the initiative uphill alone.9
Securing C-level “air cover” is essential to give the program the authority it needs to succeed and to signal to the entire organization that security is truly everyone’s responsibility.10
The five pillars of the Human Firewall are not a menu of options to choose from; they form an interconnected, holistic system.
A continuous program (Pillar 1) will fail if the culture is punitive (violating Pillar 4), as employees will resent the constant testing.
A focus on behavior (Pillar 2) is ineffective without personalization (Pillar 3), because generic behaviors are not relevant to specific roles.
And none of it can be sustained without leadership commitment (Pillar 5).
This reveals that the Human Firewall is not an “application” to be installed, but a new “operating system” for managing human risk.
Attempting a piecemeal implementation—for example, buying a phishing tool but using it infrequently in a punitive way—is destined to fail because it violates the systemic integrity of the model.
The paradigm shift must be holistic.
Part IV: The Blueprint for Implementation: Your First 90 Days in the Garden
Translating this new paradigm from theory to practice can seem daunting.
The key is to approach it methodically, with a clear 90-day plan to build momentum and demonstrate early value.
This is how you begin cultivating your own Human Firewall.
A. Day 1-30: Preparing the Soil and Getting Buy-In
The first month is about understanding your current environment and securing the mandate for change.
- Action 1: Baseline Assessment. Before you can show improvement, you must know your starting point. The first step is to conduct an unannounced, baseline phishing security test across the organization. This will provide you with a raw, unbiased “phish-prone percentage”—a powerful metric that quantifies your current vulnerability.10 Simultaneously, deploy culture and knowledge assessments to gauge employee attitudes toward security and identify specific knowledge gaps.19 This data provides the crucial “before” picture.
- Action 2: Build the Business Case. Armed with your baseline data, you can now construct a compelling business case for leadership. Combine your internal phish-prone percentage with industry statistics on the staggering costs of a data breach 3 and the demonstrated return on investment of effective training programs.2 Frame the proposal not as an IT department expense, but as a strategic initiative to protect revenue, reduce legal exposure, and enhance operational resilience.10
- Action 3: Form a Coalition. Change of this magnitude cannot be driven by one person. Identify and recruit potential “security champions” from various business units. Engage key stakeholders from HR and Corporate Communications early in the process. Their partnership is essential for crafting effective messaging and navigating the organizational bureaucracy that can stall even the best-laid plans.26
B. Day 31-60: Planting the First Seeds
The second month is focused on acquiring the right tools and launching the foundational elements of the program.
- Action 1: Select Your Tools. Not all training platforms are created equal. Evaluate and select a modern security awareness training vendor whose platform is built to support the five pillars. Look for a comprehensive and frequently updated library of training content, robust simulation capabilities (phishing, vishing, etc.), deep personalization and automation features, and strong reporting and analytics.28 Leading providers like SANS, KnowBe4, and Proofpoint offer solutions that align with this model.15
- Action 2: Launch the Foundational Program. Begin with a formal launch that introduces the new approach to the entire organization. This is your chance to reset the culture. Communicate the “why” behind the change, explicitly moving away from a punitive model and toward a collaborative partnership. Roll out the initial, foundational training modules that cover the basics for all users.
- Action 3: Implement the Reporting Button. One of the most impactful first steps is to deploy a simple, one-click email reporting tool and integrate it into every employee’s inbox. Conduct a short training session dedicated solely to teaching people how and why to use this button. This single action is a powerful, tangible symbol of empowerment and a critical mechanism for turning your employees into a distributed threat detection network.15
C. Day 61-90: Establishing the Rhythm of Care
The third month is about establishing the continuous rhythm that will sustain the program long-term.
- Action 1: Begin Continuous Campaigns. The annual event is dead. Launch your first monthly, randomized phishing simulation campaign. Concurrently, assign the first set of short, relevant micro-learning modules based on roles or departments.
- Action 2: Measure and Communicate. The metrics you choose define your mission. Begin tracking the new behavioral KPIs: the phish-prone percentage, the number of suspicious emails reported by users, and trends over time. After 90 days, compare your new phish-prone percentage to the initial baseline you established in the first month. Create a simple, graphical report that visualizes this improvement and share these early wins with leadership and the wider organization. Celebrating progress is essential for building and maintaining momentum.10
- Action 3: Gather Feedback. A garden is a living system that requires constant adjustment. Use pulse surveys and informal conversations with your security champions to gather feedback on the new program. What’s working? What’s not? Is the content engaging? Use this input to continuously refine and improve your approach. The program must be a living, breathing part of the organization, not a static plan.10
Part V: The Future-Proof Defense: A Garden for All Seasons
A. Adapting to Evolving Threats
The greatest strength of the Human Firewall is not its ability to defend against yesterday’s threats, but its resilience in the face of tomorrow’s.
The cybersecurity landscape is evolving at a breakneck pace.
The rise of generative AI is making phishing and social engineering attacks more sophisticated, personalized, and difficult to detect than ever before.7
Deepfake audio and video are moving from science fiction to a tangible threat for telephone-oriented and video-call-based attacks.
These emerging threats have one thing in common: they are designed to bypass technical filters and exploit human psychology.
A traditional training model that teaches employees to spot specific red flags from last year’s attacks is doomed to fail.
The Human Firewall, by contrast, is uniquely suited to this challenge.
Its focus is not on memorizing a static list of rules, but on cultivating a baseline of critical thinking, cautious vigilance, and ingrained secure habits.
It teaches people how to think about security, empowering them to question the unusual, verify requests through separate channels, and trust their instincts—skills that are effective against any form of social engineering, no matter how novel.
B. The Human Firewall as a Competitive Advantage
Ultimately, cultivating a Human Firewall is about more than just defense.
It is a strategic investment that becomes a competitive advantage.
An organization with a robust security culture is fundamentally more resilient.
It suffers fewer disruptions, protects its intellectual property more effectively, and builds deeper trust with its customers and partners.
In a world where a single breach can destroy a brand’s reputation, this trust is an invaluable asset.11
Furthermore, investing in your people’s skills and fostering a positive, collaborative culture pays dividends in employee engagement and retention.
Research shows that the vast majority of employees—as many as 94%—report they would stay longer at a company that invests in their learning and development.2
Providing high-quality security training that also protects them in their personal lives is a powerful way to demonstrate that commitment.
Other studies have found that organizations providing necessary training see a tangible increase in productivity as employees become more confident and capable of navigating challenges.2
C. Final Narrative Anchor
My journey began with the smoldering wreckage of a “best practice” security program.
The gardening epiphany taught me that our people are not a liability to be managed, but a living ecosystem to be cultivated.
The garden is never “done.” It requires constant, patient, and thoughtful attention.
There will always be new weeds to pull and new seasons to prepare for.
But a well-tended garden is resilient, productive, and a source of immense pride.
Likewise, a well-cultivated Human Firewall is not a project with an end date.
It is a living, breathing, and thriving part of the organization—a human defense that is adaptive, engaged, and ready for whatever comes next, allowing the business to grow safely and confidently in any season.
Works cited
- SANS Security Awareness, accessed on August 10, 2025, https://www.cisecurity.org/services/cis-cybermarket/sans-security-awareness
- 2025 Security Awareness Training Stats and Trends – Keepnet, accessed on August 10, 2025, https://keepnetlabs.com/blog/security-awareness-training-statistics
- How to Improve Employee Engagement in Security Training, accessed on August 10, 2025, https://www.phinsecurity.com/blog/improve-sat-engagement
- Why Most Security Awareness Training Is Actually Making You Less …, accessed on August 10, 2025, https://medium.com/deeptempo/why-most-security-awareness-training-is-actually-making-you-less-secure-5f4770d8f4e0
- What Is a Human Firewall? Meaning | Proofpoint US, accessed on August 10, 2025, https://www.proofpoint.com/us/threat-reference/human-firewall
- Is security awareness training that important? : r/cybersecurity – Reddit, accessed on August 10, 2025, https://www.reddit.com/r/cybersecurity/comments/1gtjvtt/is_security_awareness_training_that_important/
- Why Your Organization’s Security Awareness Training Isn’t Working …, accessed on August 10, 2025, https://www.upguard.com/blog/security-awareness-training-isnt-working
- Why Annual Cyber Security Training Isn’t Enough Anymore – Your IT Department, accessed on August 10, 2025, https://www.your-itdepartment.co.uk/why-annual-cyber-security-training-isnt-enough/
- Security Awareness Training Statistics: USA 2025 – Infrascale, accessed on August 10, 2025, https://www.infrascale.com/security-awareness-training-statistics-usa/
- Security Awareness Training – KnowBe4, accessed on August 10, 2025, https://www.knowbe4.com/security-awareness-training
- 6 Risks of Not Conducting Continuous Cybersecurity Training | Aries Security, accessed on August 10, 2025, https://www.ariessecurity.com/6-risks-of-not-conducting-continuous-cybersecurity-training/
- Awareness, Training, Education (ATE) | NIST, accessed on August 10, 2025, https://www.nist.gov/programs-projects/awareness-training-education-ate
- SP 800-50, Building an Information Technology Security Awareness and Training Program, accessed on August 10, 2025, https://csrc.nist.gov/pubs/sp/800/50/final
- NIST SP 800-12: Chapter 13: Awareness, Training and Education – CSRC, accessed on August 10, 2025, https://csrc.nist.rip/publications/nistpubs/800-12/800-12-html/chapter13.html
- What Is Security Awareness Training? Tools, FAQs, & More | Proofpoint US, accessed on August 10, 2025, https://www.proofpoint.com/us/threat-reference/security-awareness-training
- Human firewalling – KPMG International, accessed on August 10, 2025, https://kpmg.com/us/en/articles/2023/human-firewalling.html
- Combatting the Security Awareness Training Engagement Gap – CybeReady, accessed on August 10, 2025, https://cybeready.com/combatting-the-security-awareness-training-engagement-gap/
- KnowBe4 Research Confirms Effective Security Awareness Training Significantly Reduces Data Breaches, accessed on August 10, 2025, https://www.knowbe4.com/press/knowbe4-research-confirms-effective-security-awareness-training-significantly-reduces-data-breaches
- Security Awareness Training – SANS Institute, accessed on August 10, 2025, https://www.sans.org/for-organizations/workforce/security-awareness-training
- Why Choose SANS for Your Security Awareness Program?, accessed on August 10, 2025, https://www.sans.org/security-awareness-training/why-sans/
- Is Traditional Security Training Enough? Cracking the Code on Human Behavior – HumanFirewall, accessed on August 10, 2025, https://humanfirewall.io/rethinking-cybersecurity-training/
- AT-2: Security Awareness Training – CSF Tools, accessed on August 10, 2025, https://csf.tools/reference/nist-sp-800-53/r4/at/at-2/
- 7 Weaknesses of Security Awareness Training – cyberconIQ.com, accessed on August 10, 2025, https://cyberconiq.com/blog/7-weaknesses-of-security-awareness-training/
- What is a Human Firewall? Definition, Examples & More – StrongDM, accessed on August 10, 2025, https://www.strongdm.com/what-is/human-firewall
- Organizations do not Provide I.T. Security Awareness Training – Hornetsecurity, accessed on August 10, 2025, https://www.hornetsecurity.com/en/blog/security-awareness-survey-2024/
- Security Awareness: Boring Training Is Ineffective Training – SecureWorld, accessed on August 10, 2025, https://www.secureworld.io/industry-news/security-awareness-boring-training-ineffective
- What is a Human Firewall? Examples, Strategies + Training Tips – Hoxhunt, accessed on August 10, 2025, https://hoxhunt.com/blog/human-firewall
- Top Security Awareness Training Competitors & Alternatives 2025 | Gartner Peer Insights, accessed on August 10, 2025, https://external.pi.gpi.aws.gartner.com/reviews/market/security-awareness-computer-based-training/vendor/global-learning-systems/product/security-awareness-training/alternatives
