Menu

Legacy Security Awareness Training Doesn’t Reduce User Risk

Why Legacy Security Training Fails — and What Modern Risk Reduction Looks Like

Dune Security
Published on

Read

2 min

As cyber threats grow more sophisticated — fueled by AI and targeting human behavior — traditional security awareness training is no longer enough. Organizations need a smarter, user-focused approach that not only identifies individual risk but actively reduces it in real time.

90% of breaches still begin with human behavior. Employees are manipulated into clicking malicious links, sharing credentials, or approving fraudulent requests that often lead to costly compromises. For attackers, exploiting people is faster, cheaper, and more scalable than exploiting code.

With AI, the threat has escalated. Attackers can now automate the entire attack chain – from reconnaissance to breach. They scrape public data to map org charts, identify highvalue targets, and craft tailored lures. These lures arrive across phishing emails, SMS smishing, collaboration platforms, encrypted messaging apps, voice vishing and even deepfake videos.

Today’s campaigns are user adaptive. Cross-channel. Persistent. And devastatingly effective – especially as AI scams constantly iterate, becoming more convincing and harder for employees to detect than ever.

Legacy Security Awareness Training is Broken

Despite billions of dollars spent on Security Awareness Training (SAT), the one-size-fits-all model has failed to meaningfully reduce user risk or prevent enterprise breaches.

A study of nearly 20,000 employees at UC San Diego Health underscores the problem. Over eight months, researchers ran simulated phishing campaigns and compared outcomes against when employees last completed mandatory training. The findings: no meaningful correlation between training recency and phishing failure. More than 75% of employees spent under one minute on training pages, and up to half closed them immediately. Boxes were checked – but risk remained unchanged.

For executives, the message is clear: legacy awareness programs don’t reduce risk or deliver real threat protection. Training completions and click-rate reports create an illusion of progress but fail to deliver the visibility leaders need to manage exposure. They leave boards and CISOs unable to answer fundamental questions:

  • Which users hold the most risk?
  • Where are they most vulnerable? (email, collaboration tools, mobile, etc.)
  • Which users carry the greatest potential business impact if compromised?
  • Why are these individuals at risk? (behavior, role, access, patterns)
  • Are interventions actually changing behavior over time?

Without this visibility, security teams are stuck running manual campaigns and cybersecurity compliance exercises, while attackers scale adaptive, multi-channel pressure with automation. What looks like progress on paper is, in practice, wasted time and unmanaged risk.

Join Alumni Ventures’ Cybersecurity Syndicate

Be in-the-know on innovative startups, review in-depth due diligence, and stay ahead of the curve in this rapidly advancing technology.

< 3 minutes

One Size Fits All Security = Higher Risks and Costly Outcomes

At the user level, readiness is equally concerning. Training modules feel burdensome, irrelevant to day-to-day work, and disconnected from real threats. Legacy SAT treats every employee the same, delivering generic content at fixed intervals and measuring completions instead of behavior change. The result is wasted time (money), limited risk reduction, and growing friction between security teams and the workforce. CISOs issue training mandates; employees skip through them. High-risk users remain exposed, while low-risk users are pulled from productive work. Compliance is achieved, but protection is not.

Just as doctors diagnose before prescribing treatment, security teams need user-level risk intelligence before they can reduce exposure. Without visibility into who is vulnerable and why, interventions miss their mark and risk remains unaddressed.

The Future: Tailored, Strategic Security That Reduces User Risk

Legacy SAT isn’t just outdated – it’s structurally misaligned with today’s adaptive, AI-driven threats that move fluidly across channels and persist until they succeed. Real defense demands tailored strategies that reflect each user’s role, access, and behavior.

The path forward is readiness at the user layer. At Dune Security, we built a model designed for today and tomorrow’s threat landscape. Our User Adaptive Risk Management solution automatically prevents insider threat and social engineering by simulating multichannel attacks, scoring user risk, and adapting training and remediation in real time. High-risk users get targeted, effective interventions, while low-risk users regain time to focus on business-critical work.

This enables CISOs to do what legacy SAT can’t: comprehensively quantify and individually reduce user risk, aligning security with both organizational resilience and workforce productivity.

Learn More At:

Tagged with

Follow us

AV Headquarters
670 N. Commercial Street
Suite 403
Manchester, NH 03101
General inquiries: [email protected]

Press inquiries: [email protected]

603-518-8112

Follow us

Neither Alumni Ventures nor any of its fund are sponsored by, affiliated with, or endorsed by any school. Venture capital investing involves substantial risk, including risk of loss of all capital invested. Achievement of investment objectives cannot be guaranteed. Past performance does not guarantee future results. To see information on all AV fund investment performance, please see here. To see additional risk factors and considerations, please see here.

No content hosted on this website is an offer to sell, or a solicitation of an offer to purchase, any security. Such offers are made only pursuant to the formal offering documents for the funds concerned, which describe the risks, terms, and other important information that must be carefully considered before an investment is made. Alumni Ventures and its affiliates provide advice only to venture capital funds affiliated with AV. No information on this website may be relied upon as personalized advice to any recipient.

Please see Alumni Ventures’ Legal & Privacy Policy here and additional Investor Policies here.

Testimonial/Endorsement Policy: Testimonials and Endorsements were provided without compensation but each provider has a relationship with AV from which they benefit. Management of portfolio companies have received, and may in the future receive, investments from AV, which constitutes a conflict of interest. All views expressed are the speaker’s own. The providers of the testimonials/endorsements were not selected on objective or random criteria, but rather were selected based on AV’s understanding of its relationship with the providers of the testimonials/endorsements. The testimonials and endorsements do not represent the experience of all AV fund investors or all companies in which AV funds invest.

Alumni Ventures is America’s largest VC firm for individual investors based on the combination of total capital raised, number of investments, and number of investors of leading VC firms as reported by Pitchbook and other publicly available information reviewed by AV.

Video Policy: By consuming this content I acknowledge that I may be considering an investment with AV funds for my own or my client’s account. I agree that information contained herein may not be relied upon or used for any other purpose.

Co-investors: Co-investors are shown for illustrative purposes only, do not reflect the universe of all organizations with which AV has co-invested, and do not necessarily represent future co-investors. The identity of a co-investor does not necessarily indicate investment quality or performance.

© 2025, Alumni Ventures. All rights reserved.