Security 101: Cyber Training Still Fails Miserably TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsThreat Intelligence'Matrix Push' C2 Tool Hijacks Browser Notifications'Matrix Push' C2 Tool Hijacks Browser NotificationsbyNate Nelson, Contributing WriterNov 20, 20254 Min ReadThreat IntelligenceWhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilWhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilbyNate Nelson, Contributing WriterNov 20, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsCyberattacks & Data BreachesCybersecurity AnalyticsCyber RiskNewsCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Same Old Security Problems: Cyber Training Still Fails MiserablyEditors from Dark Reading, Cybersecurity Dive, and TechTarget Search Security break down the depressing state of cybersecurity awareness campaigns and how organizations can overcome basic struggles with password hygiene and phishing attacks.Tara Seals, Managing Editor, News, Dark ReadingNovember 20, 2025Source: Dark ReadingIt's a story we've all heard before, yet somehow, we keep living it. Despite years of cybersecurity awareness campaigns, training sessions, and technological advances, the same fundamental security challenges continue to plague organizations worldwide. This past October, during Cybersecurity Awareness Month 2025, three seasoned cybersecurity journalists, from Dark Reading, Tech Target Search Security, and Cybersecurity Dive, came together to examine a frustrating reality: We're still fighting the same battles we were fighting decades ago. Their candid discussion in this month's "Reporters Notebook" reveals why password hygiene remains poor and phishing attacks keep working, even as we pour resources into awareness programs that seem to miss the mark.Dark Reading's poll during Cybersecurity Awareness Month painted a sobering picture — nearly 30% of companies are still clinging to those familiar 8-character passwords with their mandatory mix of uppercase letters, numbers, and special characters. You know the ones: the passwords that expire every 90 days and drive everyone crazy. Meanwhile, security experts have been advocating for passphrases like "my cat clarinet loves Sam" for years now, following NIST's guidance that longer, memorable phrases are exponentially harder to crack than complex short passwords  — but only 17% of respondents are adopting that approach. And sure, organizations are slowly adopting single sign-on solutions (34%) and password vaults (21%), but far too many remain trapped in password policies that feel more like digital archaeology than modern security.Related:Bridging the Skills Gap: How Military Veterans Are Strengthening CybersecurityThe phishing problem hits particularly close to home when you realize it's not just everyday employees falling for these tricks. Research from SiteGuarding recently uncovered a startling truth: 64% of executives — the very people setting security policies — have clicked on phishing links themselves. Even more concerning, 17% of them never bothered to report it, despite their own company policies requiring disclosure. With AI making phishing emails increasingly sophisticated and personalized, we're witnessing an escalating arms race where attackers are getting better at exploiting human psychology faster than we can train people to recognize phishing threats. It's become less about spotting obvious red flags and more about navigating increasingly convincing digital deceptions.Perhaps most disheartening is the revelation that our well-intentioned security training programs might actually be making things worse. Studies stretching back to 2008 show that traditional awareness training — those annual sessions we all sit through, plus the "gotcha" moments when someone clicks a test phishing email — don't actually reduce click rates. In fact, they sometimes create a false sense of security that leads to more risky behavior. The problem isn't that people don't understand that phishing is dangerous; it's that cybersecurity experts have been designing training programs focused on delivering knowledge rather than changing behavior. As one behavioral psychologist told Cybersecurity Dive, these programs fundamentally misunderstand how humans actually make decisions, treating security awareness like a technical problem rather than a deeply human one.Related:From Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesReporters Notebook – Full Video TranscriptThis transcript has been edited for clarity.Dark Reading's Tara Seals: Hi, everybody. Thank you for joining us for this edition of Reporter's Notebook. I am Tara Seals, managing editor for news at Dark Reading, and I am here with representatives from our sister publications. We are all part of the cybersecurity media group at Informa Tech Target. Sharon and Eric, would you like to introduce yourselves, please? Sharon, you can go first.Tech Target Search Security's Sharon Shea: Hi, I'm Sharon Shea. I am the executive editor on Tech Target Search Security and happy to be joining today to talk about Cybersecurity Awareness Month.Related:From Chef to CISO: An Empathy-First Approach to Cybersecurity LeadershipCybersecurity Dive's Eric Geller: And I'm Eric Geller, senior reporter at Cybersecurity Dive. Happy to be here as well.DR's Tara Seals: Great. Thank you for joining me. I really appreciate it. Today we are going to break down what we found out from Cybersecurity Awareness Month, October 2025. We had a full court press in terms of covering some news stories that have to do with password hygiene and falling for phishing and things like that. And I know Sharon, your group also looked into maybe why some of those things keep happening. And then Eric, I know you did a deep dive into why user awareness training isn't really taking and some things that companies might be able to consider to turn that around.So maybe as a framing device, I might just say that Dark Reading did run a poll during the month that was very interesting. It was asking about what kind of password protocol companies and enterprises were using and they had different options. One was just your classic strong password, certain number of characters, letter number, uppercase, lowercase, that kind of thing. And then the other was pass phrases. So something like, "mydogRoverSunday25."Another one was single sign-on, which is actually becoming more and more common obviously, where you just use your corporate credentials and it just automatically logs you into related AD applications.And then finally we asked about password vaults. That was the fourth option, password vaults and also hardware tokens. So basically advanced super-strong security. And sadly too many companies are still stuck in the 20 to 15 year ago craze for eight-digit passwords that include a special character and a number. So that's kind of unfortunate. I think it was close to 30% that said that and then that was matched pretty closely by single sign on actually (34%). So that [SSO percentage] was a little bit encouraging. And then after that we had phrase passwords and then after that was vaults. So I think these are things that we've been talking about for a very, very long time.From a password hygiene perspective and it just companies just don't seem to be adopting it. And then on the phishing front, what we found through our coverage is phishing still works and obviously in the age of AI there it's becoming more and more convincing and people are falling for it.More and more commonly, it's that cat/mouse, arms-race kind of situation where we're a little bit at a stalemate situation. We have pretty strong defenses, but the bad guys are pretty good at getting through them. So Sharon, what did you find when you started to delve into some of your Search Security evergreen content around those?TTSS's Sharon Shea: It's actually a great point. I appreciate the point you made about the pass phrases. This is something that we've been publishing a lot of information on lately and we did an update to our email security best practices. I think it was six or seven years ago that NIST actually did away with the complexity requirements and said let's go for making it longer and easy to remember, but hard to guess. And that's where the pass phrases can come in. I did a test in one of our articles about putting them into the Guess Your Password tool, one of those ones online, and it was something like "mycatclarinetlovesSam" and it took like septillion years to guess or something like that to hack. So I mean pass phrases are definitely better and we're seeing an uptick in guidance toward them. So that was a big one too.Beyond that phishing, I updated an article on phishing and it's surprising besides adding in a little bit about AI, it's a lot of the same stuff. We're really saying know what to look for. I know attacks are becoming more targeted and they're definitely becoming more sophisticated, but we're definitely using a lot of the same guidance. Just don't click it. If you're worried about it, don't click it. And then in reading some [survey results], 64% of executives admitted to clicking phishing links, and 17% never reported it, even though they're supposed to report it. So it was a lot of the same guidance, but folks are still falling for it.DR's Tara Seals: Well, and it's interesting too, because I was talking to one of my sources and they were saying that at their company, they don't even require yearly training anymore. They just have resorted to, you can't even get to your applications for the day until you answer a few user awareness questions. It was a CISO for a soccer club over in Europe. And he was saying that it's especially good because they have a range of different types of employees that do different things. I mean, some of these people are just working in retail at the stadium and stuff like that.And so they might have a quiz or they might have just snackable little things that they have to accomplish before they can log in for the day. And he seemed to think that that was an effective way to go about user awareness, maybe more effective than your big giant annual trainings, which is what we have here at our company. Eric, what did you find? Because I know you did kind of a deep dive on this.CD's Eric Geller: I looked at a bunch of studies that have tried to understand how effective these security awareness training programs are. And these studies date back in the case of the ones I looked at to 2008. I'm sure they go back further than that as well. But one of the things I found in more recent studies and literature reviews was these trainings don't actually decrease people's click rates. People still click on phishing tests and simulated malicious emails at high rates, even after they take the training. In fact, in some cases, these trainings can actually make people overconfident, so they click more phishing links because they think they've been trained, they understand the risks and they go out into the world thinking that they have a better understanding than they actually do.And so that really drives home this question of what can organizations do if they want to make their employees more resilient? And one of the things that these studies are finding is it's not doing your traditional maybe twice a year phishing program. And it's also not giving people lessons when they click a phishing link, telling them you fell for it. Here is some information that you should know going forward. They call that embedded training because it's embedded in the message that you get when you fail the test the studies.DR's Tara Seals: It's also kind of shaming at that point. It's like, ah, you failed. That's not necessarily constructive.CD's Eric Geller: Absolutely. And I talked to a behavioral psychologist who focuses on the psychology of cybersecurity in terms of how we train people to do the things that are safest for them in their organization. And one of the things he said was this fear-based, shame-based model, not only has it not worked, but it runs counter to everything we know about behavioral psychology in terms of not just telling people phishing is bad, be on the lookout for phishing, but actually making them want to be better and training them to have not just the knowledge that phishing is bad, but the attitudes and the behaviors that will help prevent them from being victims.So that's another major thing from the research that I studied was some of these training programs. They're really focused on training knowledge, not shaping behavior. And what you really want is that end product of changing behavior. But the programs are designed to just deliver knowledge and there's a disconnect there because knowledge is a precursor to behavior, but it's not the same thing. So that was one of the big findings from this research is the way that they're set up is not actually efficient at changing people's behavior.DR's Tara Seals: That's pretty fascinating. And so Sharon, I mean what are your thoughts on that? I mean does that kind of dovetail with what you've been seeing and some of the things that you've collated?TTSS's Sharon Shea: Yes, one of our authors, Damon Garn, wrote a tutorial about how to use Gophish, which is a phishing simulation tool. And really a lot of the emphasis on it was "Don't use this to get mad at your employees," "Don't use this to tell them what they're doing wrong." It's really a way to maybe it's time to do a personalized training for a certain team or a certain group if they see consistencies among different users and employees to know exactly where things need to be updated. And I know we had an article a while back and I don't have the name of the author, but they were really talking about the reaction and kind of this click word where it was like people just click, they don't think about it before they click. So you really need that behavioral psychology part put into trainings.DR's Tara Seals: For sure. I mean, so bottom line, what do we think? So like new day, same problems basically at this point, do we see a way to move the needle going forward potentially? Are people catching on?TTSS's Sharon Shea: It's hard to say absolutely. And we keep hearing gamification and making trainings better and more fun. And I mean, honestly, we haven't seen it happen. Maybe it is at some companies, but these hour-long trainings, they aren't cutting it.DR's Tara Seals: Eric, final thoughts? What do you want to wrap up on?CD's Eric Geller: One of the things I heard from the reports I read and also the folks I talked to was you need to understand the root causes of the risky behavior so that you can develop training that actually again changes behavior, not just delivers knowledge. So going back to the idea of behavioral psychology and why people do things that are not in their best interests and how you can help them make better decisions. You have to think about what will encourage them to do the right thing, not just what will scare them about doing the wrong thing.So that goes back to this idea of trying to get away from shame and scare tactics and the behavioral psychologist I talked to who's actually written an op-ed for Dark Reading a few years ago about this problem was saying essentially all of these models are built based on a flawed understanding of how human beings operate. And that's probably explained by the fact that these training programs aren't developed by scientists. They're not developed by people who have expertise in behavioral psychology, they're developed by cybersecurity experts who don't generally understand the sort of human factors side of things. They don't generally understand what drives people. All they know is the outcomes, and we've got to prevent these bad outcomes. But in order to do that, you have to understand people and why they act the way they do.DR's Tara Seals: 100%. OK, guys. So that concludes this edition of Reporter's Notebook. Thank you Eric Geller from Cybersecurity Dive, Sharon Shea from Tech Target Search Security. And I am Tara with Dark Reading. Thank you very much and catch us next time.Read more about:CISO CornerAbout the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Edge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsLatest Articles in The EdgeLearning Sales Skills Can Make Security Professionals More EffectiveNov 14, 2025|4 Min ReadHow CISOs Can Best Work With CEOs and the Board: Lessons From the FieldNov 13, 2025|5 Min ReadMicrosoft Exchange 'Under Imminent Threat,' Act NowNov 12, 2025|4 Min ReadGrandparents to C-Suite: Elder Fraud Reveals Gaps in Human-Centered CybersecurityNov 11, 2025|5 Min ReadRead More The EdgeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Despite decades of cybersecurity awareness campaigns, training sessions, and technological advancements, the same fundamental security challenges continue to plague organizations worldwide. In October 2025, three seasoned cybersecurity journalists—from Dark Reading, TechTarget Search Security, and Cybersecurity Dive—came together to examine this frustrating reality: we’re still fighting the same battles we were fighting decades ago. This discussion, captured in Dark Reading’s “Reporters Notebook,” reveals why password hygiene remains poor and phishing attacks keep working, even as we pour resources into awareness programs that seem to miss the mark.

A recent Dark Reading poll during Cybersecurity Awareness Month painted a sobering picture—nearly 30% of companies are still clinging to those familiar 8-character passwords with their mandatory mix of uppercase letters, numbers, and special characters. These are the passwords that expire every 90 days and drive everyone crazy. Yet, security experts have been advocating for passphrases like “my cat clarinet loves Sam” for years, following NIST’s guidance that longer, memorable phrases are exponentially harder to crack than complex short passwords—but only 17% of respondents are adopting that approach. Furthermore, organizations are slowly adopting single sign-on solutions (34%) and password vaults (21%), but far too many remain trapped in password policies that feel more like digital archaeology than modern security.

The phishing problem is particularly concerning, and it’s not just everyday employees falling for these tricks. Research from SiteGuarding recently uncovered a startling truth: 64% of executives—the very people setting security policies—have clicked on phishing links themselves. Even more concerning, 17% of them never bothered to report it, despite their own company policies requiring disclosure. As the threat landscape evolves, particularly with the rise of AI making phishing emails increasingly sophisticated and personalized, we’re witnessing an escalating arms race where attackers are getting better at exploiting human psychology faster than we can train people to recognize phishing threats. It’s become less about spotting obvious red flags and more about navigating increasingly convincing digital deceptions.

Perhaps most disheartening is the revelation that our well-intentioned security training programs might actually be making things worse. Studies stretching back to 2008 show that traditional awareness training—those annual sessions we all sit through, plus the “gotcha” moments when someone clicks a test phishing email—don’t actually reduce click rates. In fact, they sometimes create a false sense of security that leads to more risky behavior. The problem isn’t that people don’t understand that phishing is dangerous; it’s that cybersecurity experts have been designing training programs focused on delivering knowledge rather than changing behavior. As one behavioral psychologist told Cybersecurity Dive, these programs fundamentally misunderstand how humans actually make decisions, treating security awareness like a technical problem rather than a deeply human one.

A key component of this issue is the focus on disseminating knowledge rather than enacting behavioral changes in users. Ultimately, the programs fail to adequately drive the desired transformations. The researchers involved recognize that to be effective, a user's interaction with security should be more than just an awareness lesson.

Ultimately, the journalists observe a cyclical nature to the problem, where training programs are created, implemented, and then fail to address the root causes of risky behavior, leading to continued vulnerabilities and a reliance on reactive measures. The findings suggest a need for a fundamental shift in approach—moving beyond simply informing users about risks and towards strategies that directly influence behavior and foster a more security-conscious mindset.