Cybersecurity awareness programs fail if they focus solely on compliance. We need to turn employees into allies in the fight against threats.

In 2025, INCIBE handled 122,223 cybersecurity incidents, a 26% increase from the previous year. Four out of every ten incidents were related to online fraud, a type of threat in which the human element is essential.

However, according to data from the INE, only 20% of Spanish companies provide mandatory cybersecurity training to their employees. Even more concerning is the fact that, according to the European Commission, 74% of companies in the European Union have not conducted any training or awareness-raising activities in this area.

Behind these figures lies a misconception that needs to be corrected: treating employees as the weak link in the chain rather than as the first line of defense.

Employees are involved in many incidents because they are the target of attacks specifically designed to influence their behavior. Blaming them for falling for these attacks is like blaming the victim of a scam for being deceived… when no one has taught them how to recognize it. The key to security awareness is not to downplay human error, but to build the systems, processes, and organizational culture that enable employees to fulfill that role effectively.

 

Compliance is not the same as learning

Many awareness initiatives focus on documenting that training has taken place, rather than on verifying whether behaviors have changed. The classic example is mandatory annual training followed by a final test. The employee takes the course, passes the assessment, and the company obtains the evidence it needs for audits. Everyone fulfills their obligations. But that doesn’t mean they’ve learned anything.

Furthermore, an increasing number of incidents are caused by third parties with access to internal systems: the hidden risk posed by vendors, partners, and third parties is that they handle credentials and data without having undergone any equivalent awareness training program. For this reason, it is becoming increasingly common to require these third parties to meet the same minimum standards that apply internally (training, reporting channels, and credential reviews) as a condition included in the contract.

Regulatory pressure reinforces this approach. The implementation of NIS2 not only raises cybersecurity requirements but also increases the need to demonstrate that the measures taken are effective. It is no longer enough to simply have a training program; organizations must show that it helps improve detection and response capabilities. And that requires a complete rethinking of the approach to security awareness.

 

From One-Time Training to Lifelong Learning

In many companies, reporting a cybersecurity incident involves opening a ticket, filling out forms, and facing the fear of having made a mistake. The more friction there is in that process, the less information reaches the teams responsible for handling it. Streamlining that process often simply requires creating a direct reporting channel (a button in an email or a chat channel) with an explicit guarantee that reporting a suspicion that turns out to be a false alarm will have no consequences.

This can be reinforced with microlearning platforms that deliver short, frequent safety training content, rather than lengthy, infrequent courses. This content should be tailored by role to adapt risk scenarios to the specific functions of each department (finance, HR, etc.).

Similarly, implementing gamification strategies, publicly recognizing employees who detect real threats, or appointing “Security Champions” within each department can turn collaboration into motivation, encouraging a proactive attitude among the entire workforce.

Reminders, practical examples, and discussions with the team help round out this ongoing training. Middle managers play a key role: something as simple as spending two minutes during the weekly meeting to discuss an actual fraud attempt can do more to reinforce a culture of security than any campaign.

 

How to Measure Whether Awareness Campaigns Are Effective

Many companies continue to evaluate their security awareness programs based on quantitative metrics. For example, a decrease in the percentage of employees who interact with simulated phishing emails may appear to be a sign of progress. But that does not necessarily reflect a change in behavior that would lead to the conclusion that the company will be able to respond resiliently to a threat.

That is why the most mature companies pay attention to other indicators: the increase in spontaneous reports of suspicious emails, the time that elapses between the detection of a threat and its internal communication, or employees’ perception of their own ability to take action. These are more objective and revealing indicators than the click-through rate in a simulation. Reviewing these indicators on a quarterly basis with team leaders—using phishing simulation or awareness management tools, which are becoming increasingly widespread—allows organizations to identify trends before they turn into problems.

The next step is to integrate these awareness platforms with Security Information and Event Management (SIEM) systems. Cross-referencing user-generated alerts with perimeter detection data makes it possible to measure real-time incident notification, connecting the human element with the technical infrastructure.

As a result, awareness is no longer just a compliance activity but becomes a metric included in the company's risk dashboard.

 

Security Awareness at Cyber Security World 2026

How to design an organizational and training system that turns employees into a true first line of defense will be one of the topics of discussion at Cyber Security World 2026, taking place on November 4 and 5, 2026, at IFEMA. As part of Tech Show Madrid, the largest technology event for businesses in Southern Europe, the conference brings together more than 3,600 professionals, 40 exhibitors, and 60 experts to share success stories, analyses, and perspectives on the challenges that are redefining security.

The Cyber Security World 2026 agenda will cover topics ranging from AI-based security to Zero Trust models, including the protection of cloud and hybrid environments and risk management in increasingly complex organizations. Attendees will be able to learn firsthand about real-world implementation cases, compare approaches with other security leaders, and take away concrete strategies for turning the human factor into an ally in the face of threats.