2025年全球信息安全意识与培训研究报告

2025Security

Awareness

and

TrainingGlobal

ResearchReport3Methodology4ExecutiveSummary5TrainingWorks;ButtheWorkIsNever

Done7

AIIsReinforcingtheValueofSecurityAwarenessandTraining13ExternalThreatsAreDrivingAdoption,ButInternalRisks

AreaGrowingConcern20OrganizationsAreSeeingRealResultsFromSecurity

AwarenessandTraining26DespiteMakingGains,MoreTraining

Is

Needed31Conclusion32

AboutFortinetF

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport2ContentsSizeofCompany100-499employees

21%500-999employees20%1,000-2,499employees

22%

2,500-4,999

employees

19%

5,000+employees

19%Gender63%ofrespondentswere

male37%ofrespondentswerefemaleRoleType9%heldOwner

positions30%held

C-Level

Executive

positions6%heldVicePresident

positions14%held

HeadofDepartment

positions

17%held

Director

positions24%held

Manager

positionsTopThreeBusinessSectors:Manufacturing

15%Financial

Services

13%Professional

Services

and

Technology

12%•

Argentina•

Australia•

Brazil•

Canada•

Colombia•

France•

Germany•

Hong

Kong•

India•

Indonesia•

Israel•

Italy•

Japan•

Mainland

China•

Malaysia•

Mexico•

Netherlands•

New

Zealand•

Philippines•

Singapore•

SouthAfrica•

South

Korea•

Spain•

Sweden•

Taiwan•

Thailand•

United

Arab

Emirates•

United

Kingdom•

UnitedStates

ofAmericaThefindingsinthisreportarebasedonresponsesobtainedthroughonlineinterviewswith1,850seniorITsecuritydecision-makers.TheinterviewswereconductedbySapioResearchinNovember2025.Responseswereobtainedfrom29locations:Total

respondents:1,850Asia-Pacific

30%Europe,

Middle

East,and

Africa

27%

Latin

America22%North

America22%F

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport3MethodologyOverallresultsare

accurateto±2.3%at

a

95%

confidence

limit.External

threats

aredrivingadoption•

41%of

respondents

say

theyhaveadoptedsecurityawareness

andtrainingtodefendagainstexternalthreats—downfrom

52%in

2024.•

51%see

data

security

as

themostimportantawarenessandtrainingtopic,followedbydataprivacy

(43%)and

AI-based

toolsandthreats

(41%).•

34%say

personnel

limitationswerethe

main

reasontheydidnot

implement

securityawarenessandtrainingsooner.Organizations

are

seeingreal

results

from

securityawareness

and

training•

67%of

organizations

reportmoderateorsignificantreductionsin

intrusions,incidents,andbreaches

since

implementingtraining.•

53%measure

trainingeffectivenessintermsofreduced

securityincidents.Othertopmeasuresincludeemployeefeedback

(52%)and

securityaudits

(50%).•

88%of

organizations

providetailoredtrainingtodifferent

groupsofemployees.ExecutiveSummaryAI-basedthreatshaveledemployeestoseethevalueofcybersecurityawarenessandtrainingina

new

light.Organizationsreportreal,measurableresultsfromtraining

efforts,though

mostfeel

that

even

more

training

is

needed

todefendagainstevolvingcyber

risks.AIisreinforcingthevalueofsecurityawarenessandtraining•

88%of

organizations

say

AIuse

by

badactorshas

helped

employeesseewhyawareness

andtrainingmatter.•

53%of

organizations

trainemployeesontheappropriateuse

of

generative

AI

(GenAI)toolsandmonitoror

blockthesharing

ofsensitiveinformation.•

96%of

respondents

say

they

areintheprocessof

researchingand

implementingasecuritypolicyfor

using

AI

apps

and

other

tools.Despitemakinggains,more

is

needed•

95%of

decision-makers

believethatmoresecurityawarenesswouldhelpreducecyberattacks.•

69%of

leaders

feel

employeesstilllacksecurity

awareness.•

26%say

employees

who

seesecurityasimportantdon’talways

actaccordingly.F

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport4The

2025Security

Awareness

and

Training

GlobalResearchReportreinforcestwokeyfindingsfromthe

pastcoupleofyears:thatorganizationssee

knowledge

andskillsascrucialtocyberdefense,

andthattraining

mustadaptcontinuallyasthreatsand

risks

evolve,especiallywhenAIis

involved.Our2025findings

show

that

organizations

continue

to

see

security

awarenessandtrainingasimportantandthatexternalthreatsare

stillthemainmotivatorforundertakingsecurityawareness

andtrainingprograms.Astheyhaveinpreviousyears,leaders

remain

committedto

security

awarenessandtraining,recognizingtheneedand

buildingit

intocorporatepriorities.Yetmanycontinuetofeelthattheirworkforces

areunpreparedtofendoffcyberthreats,despiteconcertedefforts

toraiseawarenessandprovidesecuritytraining.Thefollowingpagesexplorepossiblereasonsforthismindset,fromthe

constant

evolutionofthreatstoratesoftrainingcompletion,toissueswith

trainingcontent.In2025,we

broadened

the

scope

of

our

Security

Awareness

andTrainingsurvey,askingnewquestionsanddivingdeeper

into

areassuchaspreferredtrainingmodalities,howorganizationsare

measuring

theeffectivenessoftraininginitiatives,andemployeeperceptionsof

cybersecurityasasharedresponsibility.Wealsoaddedanewsectionto

the

report—first

introduced

in

our

2025Cybersecurity

Skills

Gap

Global

Research

Report—Taking

Action.

Inthissection,wesharetheperspectivesofFortinetexperts

as

they

respondtothesurveyfindings,theirimplications,andthepotentialactionsthatorganizationsmighttakein

response.INTRODUCTIONTrainingWorks;

ButtheWork

Is

Never

DoneF

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport5are

highlytrainedand

ready

to

identify,avoid,

and

report

AI-basedcyberthreats.Fewer

than

half

(40%)

ofrespondentssay

employees Fortinet2025Security

Awareness

and

Training

Global

Research

Report6securityawarenesstraining.Yetdespitebeinghighlyawareofthe

rising

threatofAI,leadersaren’tespeciallyconfidentthattheiremployeesare

equippedtomeet

it.Just40%of

survey

respondents

consider

their

employees

to

be

highlytrainedandreadytoidentify,avoid,andreportAI-basedcyberthreats

inthe

next12months.Fifty-eight

percent

(58%)describe

their

employeesasbeingeithermoderatelyor

slightly

prepared.A

silver

lining

is

that

only

a

very

small

portion

of

leaders

(2%)believetheiremployeesarenotatallready

tofaceAI-driventhreats.Asorganizationscontinuetoadopt

AI

tools—and

asthreatactorsincreasinglyuseAIfor

malicious

purposes—

employeesandleadersrecognizethedualneedforgreater

awarenessofAIrisksandmoretraininginhowto

dealwith

those

risks.The

overwhelming

majority

(88%)of

respondents

to

our2025

surveysaythatthegrowinguseofAIby

badactors

has

either

somewhat

or

significantlyinfluencedemployeeperspectivesontheimportanceofAI

Is

ReinforcingtheValueof

SecurityAwareness

and

TrainingF

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport7SignificantlyincreasedemployeeperceptionofitsimportanceSomewhatincreasedemployeeperceptionofitsimportance

Nochangeinemployeeperceptionof

its

importance

Somewhatdecreasedemployeeperceptionofitsimportance

Significantlydecreasedemployeeperceptionofitsimportance8%3%1%47%41%MostrespondentssayknowledgeofAIthreatshas

either

significantly

or

somewhat

increased

employee

perceptions

oftheimportanceofsecurityawarenessandtraining.HowAIhasaffectedemployeeperceptionsofsecurityawarenessandtrainingF

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport8TheAI

Alarm

BellAItoolsneedtobesecuredThemajorityarealsotakingstepsto

manage

AItoolsecurity:•

96%of

respondents

indicated

that

theirorganization

either

has

measures

in

place

or

isin

the

process

of

researching

or

implementingmeasurestotestandvalidatethesecurityofdeployedAIandlarge

language

model(LLM)tools.

(Ofthat96%,68%

have

alreadyimplemented

such

measures.)•

96%have

implemented

or

are

in

the

processofimplementingsecuritypoliciesfor

GenAIapps

and

other

AI

tools.AItrainingadoptionisfairlyconsistentacrossorganizationsofallsizesAItrainingadoptionisbroadly

similar

across

companiesofallsizes,witha

modest

uptickamong

organizations

with5,000+employees.•

5,000+employees—57%•

2,500to4,999employees—55%•

1,000to2,499employees—52%•

500to999employees—49%•

100to499

employees—52%AIuseneedsto

be

managedOrganizationsaretakingconcretestepstomanage

employee

AI

use,including:•

Training

employees

on

how

to

use

AI

toolsproperly

(53%)•

Usingtechnologiestomonitoror

block

thesharingofsensitiveinformationwith

AItools

(53%)•

Implementing

policies

for

AI

tool

use

(48%)•

Maintaining

authorized

app

lists

(45%)53%of

organizations

trainemployeeson

proper

use

of

GenAI

tools.DIGGING

DEEPEROrganizationsareactingto

safeguard

againstAI

risksF

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport9Asia

Pacific

51%Europe,

Middle

East,and

Africa

37%Latin

America

49%North

America

53%NorthAmericaismostconfidentaboutdealingwith

AIthreatsMorerespondentsin

NorthAmericasayemployees

are

trained

andreadytoidentify,avoid,andreportAI-basedcyberthreatsoverthenext

12months

than

in

any

other

region.Region

Employees

are

trained

and

ready

for

AI-basedcyberthreats

over

the

next12monthsAsia

Pacific

88%Europe,

Middle

East,and

Africa

83%Latin

America

83%North

America91%Regional

HighlightsAI-drivensecurityawarenessvariesbyregion,with

Europe,theMiddleEast,andAfricabeingthelowest

Workers

in

North

America

are

most

likely

to

see

security

awareness

and

training

as

important

due

to

the

growing

malicious

use

of

AI.AsiaPacificorganizationsarethemostlikelytotrainusersonAItoolsWhilenoregionreportsespecially

high

usertrainingonAI

tools,AsiaPacific

leads

the

way

at59%.Latin

America

is

the

only

region

to

comeinat

lessthan

50%.F

RTInEt

Training

Institute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport10

Region

AI

threats

have

led

employees

to

valuesecurity

awareness

and

training

Employees

and

users

are

trained

in

the

proper

use

of

AI

toolsEurope,

Middle

East,andAfrica50%本报告来源于三个皮匠报告站（）,由用户Id:349461下载,文档Id:1266999,下载日期:2026-06-18NorthAmerica51%LatinAmerica49%Asia

Pacific59%Organizations

are

still

very

much

at

the

learning

stagewhenitcomestomanagingAI-relatedrisks.

Forexample,fewerthanhalf

(42%)

ofthosesurveyedsaytheyhavetoolsto

monitoremployee

AI

use.AItrainingisneededThis

can

be

done

in

several

ways,

including

byholding

AI

training

more

regularly

and

providing

briefrefreshersessions,

or

by

offeringmicrolearningoron-demandresourcesas

requiredbyemployeestostay

current

on

evolvingAIthreatsandbest

practices.GuidanceonAIuse

isalso

requiredItisimportanttoprovide

up-to-dateAIguidanceandpoliciesthathelp

employeesunderstandandfollowthebestpracticesfor

using,selecting,andengagingwithAIvendors

andthird-partyAItechnologyproviders.Suchguidanceshouldclearlyoutlinedata

typesandclassificationlevels,provide

information

securityandlegal/privacycriteria,and

list

approvedAIvendorsandproviders.AIgovernancepoliciesneed

continuousmonitoringImplementingpoliciesaloneis

notenough

in

theever-changingworldofAI.Organizations

mustalsomonitorand

revisitthose

policies

continuouslytokeep

pacewith

shifts

intechnologyandregulations.F

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearch

Report11TakingAction

driverfor

adopting

security

awarenessand

training.41%

of

organizations

sayexternalthreatswerethe

core

Fortinet2025Security

Awareness

and

Training

Global

Research

Report12Respondents

list

personnel

limitations

(34%),

budget

constraints

(19%),and

other

security

priorities

(18%)as

their

top

reasons

for

not

adoptingsecurityawarenessandtrainingpreviously.The

main

prioritiesthattendtopushsecurityawarenessandtrainingto

the

backburner

areoperationalandproductionefficiencyinitiatives

(47%),other

trainingand

development

(44%),digital

transformation

and

technology

upgrades(43%),cybersecurity

and

data

protection

(42%),and

infrastructure

andITmodernization

(41%).For

many

organizations

(51%),data

security

continues

to

be

the

mostimportantsecurityawarenessandtrainingtopic,followed

bydataprivacy

(43%),and

AI-based

tools

and

threats

(41%).

This

priority

seemsto

be

reflected

in

the

types

of

training

that

are

delivered,

with

50%

ofrespondents

reporting

training

on

data

security,43%on

data

privacy,and42%on

AI-based

tools

and

threats.Potentialthreats,past

breaches,and

breachesinthe

same

industrywerethebiggestmotivatorsofincreased

securityawareness

and

training

in2025

(41%).This

is

down

from52%theyearbefore,thoughtheadditionof

new

options

relatedtointernaldriverscouldaccountforthedecline.Twenty-seven

percent(27%)of

respondents

say

they

adopted

securityawarenessandtrainingtoprotectfrom

insider

risks.

Insider

risksincludecorporatesponsorships,pastor

potentialinsider

breaches,andconcernsthatinternaluserscould

contribute

to

a

data

breachor

disclosure.This

is

a

jump

from

just4%

in2024

which

suggestsorganizationsaremoreattunedtoinsider

risks—and

see

them

asaddressable

with

greater

awareness

training,though

the

addition

of

new

insider

risk

options

within

the

survey

may

account

for

the

dramatic

jump.ExternalThreatsAre

DrivingAdoption,

But

Internal

RisksArea

Growing

ConcernF

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport13

51%

48%43%41%41%NA34%38%33%NA

27%

28%

29%NA

30%28%28%28%

23% 20%ReportingIncidentsandSuspiciousActivityMobileDevice

SecurityRemoteWorkSecurityRole-SpecificTrainingPhysicalSecurityRisk

From

InsidersSocialEngineeringOtherNoneoftheAboveDataSecurityData

PrivacyAI-BasedToolsandThreatsProtectionAgainstMalwareand

RansomwareCloudandApplicationSecurityEmailSecurityInformationSecurityConceptsPasswordProtectionandSecurity

ManagementPhishing‚Smishing,andVishingAwarenessMulti-FactorAuthenticationTheadditionofnewoptionstothelistin

2025shifted

someyear-over-yearweightings,

but

data

security

and

data

privacy

are

still

seen

as

the

two

mostimportanttopicstobecoveredbyawareness

programsand

security

training.Mostimportanttopicstocover

23%NA

17%

22%

18%

15%

16%

12%

16%NA

17%

16% 11%

13%0%0%0%0%Toptopicsforsecurity

awareness

andtrainingF

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport14

2025

2024DataSecurityData

PrivacyAI-BasedToolsandThreatsProtectionAgainstMalwareandRansomware

CloudandApplicationSecurity

EmailSecurityInformationSecurityConcepts

PasswordProtectionandSecurity

Management

Phishing‚SmishingandVishingAwareness

Multi-FactorAuthenticationReportingIncidentsandSuspiciousActivityMobileDeviceSecurity

RemoteWorkSecurity

Role-SpecificTraining

PhysicalSecurityRiskFrom

Insiders

SocialEngineering

OtherNoneoftheAboveThetopicstrainedoninsecurityawarenessclearlyalignwiththekeytopics

that

need

to

be

covered.Topics

trained

on

in

the

past12months

31%

28%

28%

26%

26%

23%

23%

21%

15%0%0% 50%

43%

42% 37%

36%F

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport1534%34%34%Satisfactionwithtrainingis

generallyhigh85%of

decision

makers

say

they’re

somewhatorverysatisfiedwiththeircurrent

securityawareness

training

solution

(86%in

2024),thoughsomehave

reservations:•

Ofthosenotsatisfied,thetopconcernwasmissing

important

topics

(28%,new

in

2025).•

Othersourcesofdissatisfaction

areunengaging

content

(21%)and

multilingualavailability/language

support

(18%,newin

2025).•

Athirdnewoption,rankingfourth,was“content

is

not

easy

to

understand”

(13%).Supportforsecuritytraining

iswidespreadResponses

in2025about

support

for

trainingremain

in

line

with

2024:•

88%of

employees

see

security

awarenessand

training

positively

(86%in

2024).•

95%of

corporate

leaders

support

securityawarenessandtrainingtoacertainor

largeextent

(96%in

2024).•

ITleaders

(56%)andsecurity

leaders

(51%)

arethetopchampionsofsecurityawarenessandtraining,followed

byCEOs

(41%)andCTOs

(33%)—allinline

with

2024.DIGGING

DEEPERLeadersandemployeescontinueto

seevalue

in

security

awareness

andtrainingNewtrainingtopicsrankhighlyWhenidentifyingthemostimportantsecurity

awarenessandtrainingtopics,respondents’

choicesincludedthefollowingnewoptions

in

2025:•

AI-based

tools

and

threats

(41%)•

Cloud

and

application

security

(33%)•

Information

security

concepts

(29%)•

Reportingincidentsandsuspiciousactivity

(23%)•

Physicalsecurity

(16%)88%of

employees

seesecurityawareness

and

training

positively.F

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport16OrganizationsinNorthAmericaaremostsatisfied

withtheircurrentsolutionRespondentsinotherregionsarelikelierto

say

they

had

some

dissatisfactionwiththeircurrentsecurityawarenessandtrainingsolutions.SatisfactionwithcurrentawarenessandtrainingsolutionLimitedpersonnelisasignificantobstacleto

adoptioninAsiaPacificOrganizationsintheAsiaPacificregionwere

much

moreinclined

to

citehumanresourceconstraintsasthetopreasonfor

not

adopting

securityawarenessandtrainingsooner.Thethreatofabreachisatopmotivator

in

Europe,

theMiddleEast,andAfrica,andin

LatinAmericaNorthAmericanrespondentswereleastlikelytosaytheyadopted

securityawarenessandtrainingoutofconcernaboutbreaches.Awarenessandtrainingaremotivated

by

the

threat

of

a

breach

17%

19%

19%

13%Limitedpersonnelresourcesinhibited

awarenessandtrainingadoption

40%

28%

32%

33%F

RTInEt

Training

Institute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport17

RegionAsia

PacificEurope,

Middle

East,andAfrica

LatinAmerica

NorthAmericaRegionAsia

PacificEurope,

Middle

East,andAfrica

LatinAmerica

NorthAmericaRegional

HighlightsEurope,

Middle

East,andAfrica82%NorthAmerica91%LatinAmerica81%Asia

Pacific85%Previoussecurityawarenessandtrainingsurveyshaveshownconsistentlythatquality

trainingcontentmatters—andisimportanttoorganizations.Yetthatdoesn’tnecessarily

mean

all

organizations

have

a

clear

sense

ofwhat“quality”looks

like.Qualitytrainingneedstobe

relevantandeffectiveRelevantcybersecuritytrainingaddressesthe

risks

that

users

face

in

real

life

and

emphasizesthe

biggestandpotentially

most

harmfulthreats.Quality

training

uses

scenarios,

media,

andinteractiveelementstoengagelearnersandaccommodatedifferentlearningstyles;is

deliveredinmultiplelanguages;

and

provides

theinformationandeducation

requiredtoteachallstudentshowto

recognize,assess,

andrespondtothreats.MeasurementiscriticalLearningshouldbe

measuredwithassessmentsandtests.Trackcompletionsas

wellas

behaviorchanges,suchas

phishingclickrates,securitytooluptake,

and

the

numberofincidents.TimingmattersTimingandtimelinessarealsoimportant.Deliver

training

regularly—at

short

intervals,not

just

once

a

year—and

reinforce

it

withreminders,simulations,and

microlearning.Updatetrainingregularlytomatchchanges

in

technology,policies,and

threats,and

toensurenew,important,and

high-prioritytopicsaren’t

missed.CyberawarenessisculturalThegoalofawarenessandtraining

is

notjusttoinform:Itisto

effect

change

and

build

acultureofsecurity

awareness.

This

goalshouldextendthroughouttheorganizationfromleadershipondown.Organizationsshould

encouragetheiremployeestoseesecurityawarenesstrainingasatoolthathelpsthem

protectthemselvesandthecompanyrather

thanacomplianceboxthat

must

bechecked.F

RTInETTrainingInstitute

Fortinet2025SecurityAwarenessandTrainingGlobalResearchReport18TakingAction

seena

reduction

in

intrusions,incidents,and

breaches

since

implementingtraining.67%of

organizations

have

Fortinet2025Security

Awareness

and

Training

Global

Research

Report19An

encouraging

insight

from

our2025survey

is

that

manyorganizations

are

using

a

mix

of

indicators

to

measure

theeffectiveness

of

security

awareness

and

training,with

a

clear

majority(67%)saying

they’ve

seen

a

corresponding

declinein

intrusions,incidents,and

breaches.The

mostcommon

measureoftrainingeffectiveness

is

reducedsecurityincidents

(53%).Alsocommonare

employee

feedback(52%),and

security

audits

(50%).Slightly

lower

but

still

significant,

42%ofrespondentssaytheyevaluate

effectiveness

bytracking

the

completionrateforsecurityawarenessand

training.

This

has

some

interestingimplications,

becauseonly6%oforganizations

report100%training

completion.Just

over

half

(56%)

report

completion

ratesgreater

than70%,which

is

the

mean

average.Theselower-than-100%completionrates

may

hold

partof

thekey

as

to

why,despite

corporate

efforts,

many

leaders

(69%)

stillfeelemployeeslackcybersecurityawareness

(a