Security awareness training has been steadily gaining traction and momentum as organizations have come to understand that cyberattacks mostly stem from their own employees (e.g., clicking on phishing links, downloading malicious files, failing to use strong passwords). Despite a lot of in-house training, almost half (46%) of employees still continue to struggle with phishing emails.
Common Mistakes That Dampen Security Training
Conventional cyber awareness programs may fall short in certain areas.
One-size-fits-all: Most training programs are generic, offering the same content to all individuals regardless of their role, skill level, or prior knowledge. This lack of personalization can lead to disengagement and ineffective learning.
Outdated content: Training programs may fail to keep pace with the evolving threat landscape – content isn’t regularly updated to reflect the latest threats like AI-generated phishing attacks, or coercive synthetic media such as deepfakes, leaving users unprepared to defend against modern cyber risks.
Absent real-world context: Conventional training rarely simulates real-world scenarios, making it difficult for people to apply what they’ve actually learned in practice. This gap between theory and application can leave organizations vulnerable to attacks.
Lack of consistent feedback: Without timely and actionable feedback, individuals may not understand their mistakes or learn how to respond and improve. This can result in repeated errors and a false sense of security.
Limited user context: Basic metrics to assess user performance – i.e., click-through rates or completion percentages – can lack depth when not analyzed in the context of an employee’s background, learning history, job role, cyber maturity level, or other factors. In the absence of such granular understanding, organizations are unable to measure a program’s true education efficacy or tailor it to address specific worker behaviors or risks.
What Is Agentic AI And How Can It Enhance Cyber Training Programs?
So-called agentic AI refers to artificial intelligence systems that exhibit a high degree of autonomy and adaptability. Unlike conventional AI that follows predefined rules and operates within a specific framework or scope depending on its training models, agentic AI can learn, reason, and make independent decisions in dynamic environments. These systems are capable of understanding context, predicting outcomes, and taking actions to achieve specific goals. In the context of security awareness training (SAT), agentic AI can serve as a virtual coach, a mentor, or even a simulated adversary, providing employees with real-time feedback, personalized learning paths, and immersive experiences. One agentic AI program can even be dictated by another agentic AI program.
There are number of ways in which agentic AI can enhance SAT programs:
Personalized learning: Agentic AI can analyze an employee’s role, skill level, and learning history to create customized programs tailored to individual need. AI can also generate intelligent quizzes based on an organization’s specific security and compliance policies.
Contextual and targeted training: Agentic AI can analyze each user’s learning history, job role, risk score, behavior patterns, susceptibility to specific threats, and factors such as location or language to automatically deliver the most relevant and targeted content tailored to the individual.
Adaptive learning: AI agents can adapt to an employee’s progress, adjusting the difficulty and focus of the training as needed. If an employee consistently performs well in identifying phishing emails, the AI might introduce more complex attacks or shift focus to other areas, such as password security or data protection. This approach ensures that users are always challenged and maximizes the effectiveness of training.
Dynamic template generation: AI agents can dynamically generate training templates based on the latest scams and social engineering tactics. This ensures that employees are always learning about the most current threats, creating a more relevant and up-to-date training experience.
Continuous monitoring and feedback: AI agents can continuously track employee behavior, interactions, and responses during training sessions and offer real-time feedback and guidance. This proactive monitoring and nudging can help organizations address security concerns quickly and ensure employees receive timely feedback, thereby boosting cyber awareness and practices.
User Benefits of Agentic AI-Powered Cyber Awareness Training
Lower training fatigue: Agentic AI can make security training more engaging and less overwhelming by delivering bite-sized knowledge refreshers at optimal intervals. This reduces information overload, ensures that security awareness becomes part of the daily routine and improves learning retention without causing fatigue.
Enhanced user experience and learning: AI agents can boost employee enthusiasm and engagement by offering interactive, gamified, and scenario-based learning. This makes the training experience more enjoyable, immersive and effective, improving retention of best practices while fostering a culture of cyber awareness and vigilance.
Deep behavioral insights: AI can track and analyze user behavior during training programs to identify patterns, strengths, and weaknesses, allowing for more targeted intervention like hands-on coaching, and improved results.
Agentic AI is transforming security training by making it more personalized, targeted, and effective. By addressing the limitations of conventional training, it equips employees with the skills and knowledge needed to combat modern cyber threats. As organizations face increasingly sophisticated attacks, agentic AI offers a modern and scalable solution to build a resilient, security-conscious workforce.
About the Author
Erich Kron is Security Awareness Advocate for KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management with over 70,000 customers and more than 60 million users. A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, he was a security manager for the U.S. Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and other certifications. Erich has worked with information security professionals around the world to provide tools, training and educational opportunities to succeed in information security.
LinkedIn: https://www.linkedin.com/in/erichkron/
