Colleges and universities face significant cybersecurity threats, including phishing attacks and risks associated with the exposure of sensitive data. Institutions manage large amounts of sensitive personal, academic, and financial information, making them particularly attractive targets for cybercriminals. The open nature of campus environments increases vulnerability, but robust security awareness training can significantly reduce these risks.
CampusCISO has gathered cybersecurity capability data from over 200 college and university assessments, providing peer benchmarking insights to support informed institutional decision-making.
This guide analyzes metrics for security awareness training programs in higher education, providing insights to assist campus leaders in comparing their training programs to broader trends. It covers completion rates, training frequency, and techniques for gauging training effectiveness, and it offers recommendations to help institutions evaluate and enhance their security awareness programs.
Understanding the current landscape of security awareness training helps institutions benchmark their programs against broader trends, identify opportunities to strengthen programs, and reduce cybersecurity risk. This section summarizes the adoption of security training programs in colleges and universities, emphasizing areas of strength and identifying critical gaps.
Most U.S. higher education institutions have adopted some level of security awareness training. A 2023 survey by EDUCAUSE showed that 94% of institutions have security awareness training programs in place. These programs are mandatory at 90% of institutions, and 71% integrate them into new employee onboarding (Burns, Robert, & Muscanell, 2023). Approximately 10% of institutions currently lack mandatory employee training, a critical gap that institutions should address immediately.
CampusCISO has helped institutions complete over 200 cybersecurity capability assessments using the Cyber Heat Map methodology since 2021. Metrics from these assessments provide essential insights into the maturity and effectiveness of security awareness programs in higher education.
The Cyber Heat Map assessment calculates a capability score by considering factors such as the institution's ownership of a training delivery solution, the extent of its adoption, and the availability of staff to manage the program. Capability scores provide a measure of an institution's maturity regarding security training implementation. Scores below 40 typically reflect limited adoption, minimal enforcement mechanisms, or low institutional priority. Scores above 70 usually indicate comprehensive programs with strong policies, regular compliance monitoring, and executive-level support.
Between July 2021 and November 2024, the assessment data shows:
The wide benchmark range highlights significant diversity in the maturity of security awareness programs at colleges and universities. Institutions with lower capability scores often experience higher susceptibility to phishing attacks, inconsistent training participation, and difficulty responding effectively to cybersecurity incidents.
The Cyber Heat Map assessments also evaluate the availability of dedicated security training for IT professionals. Technology staff play crucial roles in safeguarding sensitive data; specialized training enables them to consistently incorporate effective cybersecurity practices into their daily responsibilities.
The mean capability score for IT staff security training is 50 out of 100, aligning closely with the range observed for end user awareness training. Notably, that calculation only considers institutions with established formal IT staff security training programs. Among all respondents, only 65% (158 of 242) confirmed the presence of such programs, highlighting a significant gap in security awareness initiatives for many institutions.
Consistent monitoring of training completion rates is essential to ensure that security awareness programs remain effective over time. Failure to train users regularly leaves institutions vulnerable to data breaches, regulatory non-compliance, and even puts insurance renewals at risk.
Universities can monitor training completion metrics and share them with leadership, demonstrating a commitment to enhancing these figures (Burns, Robert, & Muscanell, 2023). Leading organizations reach rates in the upper 90s by implementing robust mandates and maintaining regular follow-ups (Just, 2025).
While 94% of institutions have adopted a security awareness program, implementation is inconsistent. Universities face challenges in ensuring timely completion of training despite having policies in place. For example, completion rates within Massachusetts public colleges ranged from 30% to 80% (Office of the State Auditor, 2024).
The Cyber Heat Map data from assessments completed in 2024 shows that only 3% of institutions achieved high performance, defined as over 90% completion rates, for faculty and staff security awareness training. No institution achieved over 90% participation for student training efforts.
In higher education, 65% of institutions require annual retraining, and only 6% restrict training to just once during a user's entire tenure (Burns, Robert, & Muscanell, 2023). The majority of institutions prefer to offer updated awareness training at least once a year.
The government and healthcare sectors prioritize regular training. U.S. federal agencies require annual security awareness training (U.S. Department of Health and Human Services, 2024). Healthcare organizations adhere to HIPAA guidelines, with annual refresher training being the norm even though the regulation only mandates periodic training (Alder, 2023).
Organizations increasingly use brief quarterly or monthly micro-training modules to reinforce cybersecurity awareness consistently throughout the year (Chew, 2023). In higher education, 19% of institutions mandate training more than once a year, with semiannual or quarterly refresher courses (Burns, Robert, & Muscanell, 2023).
Annual mandatory training represents the minimum standard recommended for higher education institutions. The prevailing trend across sectors is moving toward continuous learning methods, emphasizing ongoing engagement over a single yearly session. Research indicates that more frequent training results in significant reductions in phishing click rates and cybersecurity incidents.
Measuring the effectiveness of security awareness training is challenging but vital for ongoing improvement. Only 38% of higher education security leaders perceive their training as effective (Burns, Robert, & Muscanell, 2023). Monitoring training outcomes allows campus leaders to evaluate effectiveness clearly and adjust strategies accordingly.
One common way to measure training effectiveness is monitoring statistics from phishing simulation tools, which simulate phishing attacks and track user responses. 66% of higher education institutions monitor phishing simulation failure rates to evaluate the effectiveness of their training (Burns, Robert, & Muscanell, 2023).
In a 2023 study, the education sector recorded the highest phishing test click-through rate, with 16.7% of users clicking on malicious links, and 12.2% of users submitted their passwords to fake phishing sites (Bradley, 2024). This highlights the susceptibility of academic users to phishing attacks when adequate training is lacking. Organizations that have implemented structured training programs have seen phishing click rates drop from an average of 33% to as low as 5% within a year (Grimes & Kraemer, 2023).
Institutions can also use quizzes and user surveys to assess training. Common indicators of training effectiveness include program completion rates (used by 84% of agencies), phishing simulation click rates (72%), and independent audits (67%) (Jacobs, Haney, & Furman, 2022).
To make a strong case for improved training, institutions can analyze awareness program metrics in relation to security outcomes. Key indicators to consider:
In summary, the majority of higher education institutions provide security awareness training, with results varying widely against benchmarks. Completion rates range from excellent (almost 99% in some programs) to as low as 30% (Office of the State Auditor, 2024). Universities typically mandate annual training cycles, although more frequent approaches are starting to emerge. The data indicates a significant reduction in risk when organizations implement successful training programs.
Higher education institutions face security challenges similar to government and healthcare organizations: large user populations, vast amounts of sensitive data, and constant exposure to phishing and other cyber threats. Comparing security training practices with those sectors is useful for planning.
Government agencies in the U.S. set a high standard for security awareness because of strict mandates. Federal policy requires annual security awareness training for all users of federal information systems (National Archives, 2025).
The Department of Health and Human Services has achieved almost 100% completion by linking security awareness training to annual HR requirements and by limiting access to user accounts for non-compliance (Jacobs, Haney, & Furman, 2022). Employees with substantial security responsibilities are mandated to undergo role-based training, while basic awareness training is provided to all personnel (Wilson, 2006; Ross & Pillitteri, 2024).
Agencies monitor metrics such as completion and phishing simulation click rates to gauge effectiveness. High participation rates are achieved through leadership support and accountability.
Higher education institutions can strengthen training compliance by adopting these practices, such as linking completion to HR processes or critical account access.
Strict regulations govern the healthcare sector, including rules mandating that all staff receive training in patient data privacy and security practices. Hospitals conduct compulsory annual security training, and many also enforce additional measures like monthly security reminders or phishing simulations (Alder, 2023).
Studies indicate that continuous training can lower risks in healthcare organizations, and training programs are tailored to staff positions, with clinicians presented with scenarios related to patient data (Gordon, Wright, & Aiyagari, 2019). This approach underscores the importance of role-specific training for individuals handling sensitive information.
Healthcare standards are directly applicable to universities that manage medical research data or run health centers. Institutions that handle sensitive health-related or research data should follow healthcare sector practices: targeted ongoing training plus regular phishing simulations.
The key lesson from both sectors: nearly universal completion of annual security awareness training shows that clear requirements and consistent executive support lead to greater training compliance and reduced cybersecurity risk. Higher education can apply the same discipline through stronger mandates for annual role-based training.
Institutional leaders should leverage benchmarks and peer comparisons to clearly articulate the necessity and value of enhancing security awareness training. The following recommendations cover training frequency, audience-specific strategies, and program improvements.
Ensure that all employees and faculty members complete security awareness training when hired and annually thereafter. Universities including the University of Illinois at Chicago and the University of North Carolina at Chapel Hill have made annual training mandatory for years (Zawacki & Maslanka, 2020; University of North Carolina at Chapel Hill, 2019).
To increase completion rates, use automated reminders and messages from campus leadership. Implement enforcement mechanisms like locking out accounts to ensure training completion (George Mason University, 2025). Sending reminders to managers during annual performance reviews can also drive participation.
Make clear to all faculty and staff that security training is a crucial job requirement, similar to other HR compliance requirements.
Users carry different levels of risk. Implement role-based security training for groups that handle sensitive information or perform high-risk functions: specific modules for finance, HR, admissions, researchers, and IT staff. Staff working with health or student data might need additional HIPAA or FERPA training; IT staff might need secure coding or incident response courses annually (Spitzner, 2023).
Improving IT professionals' understanding of cybersecurity as it relates to their individual roles is a cost-effective way to shore up an institution's security posture. Unfortunately, security training for IT professionals remains a significant gap: only 65% of assessed institutions report having structured cybersecurity training for IT personnel.
The University of Oregon and others have adopted role-based training so that employees with elevated system access or those who travel get custom training relevant to their risks (University of Oregon, n.d.). At George Mason University, any employee who handles highly sensitive data must complete a specialized data custodian module in addition to the regular awareness course (George Mason University, 2025).
Institutions should require specialized role-based training at least annually, and could adopt semiannual or quarterly training for the highest-risk groups. User roles that can cause the most harm receive the most training. This enhances security and helps meet compliance obligations.
Students are a large part of a campus population and are frequent phishing targets, for reasons ranging from financial aid scams to credential theft. Despite these risks, many institutions lack formal student training programs: the Cyber Heat Map assessment data shows that 67% of institutions provide only ad hoc student security training. Expanding formal student security education should be a priority.
Since students are not employees, integrate cyber awareness into student onboarding or digital literacy programs, for example by requiring new students to complete an online security module covering phishing, safe passwords, and campus IT policies during orientation.
Tailor student training to their learning styles: shorter content, interactive gamified quizzes, or in-person workshops. Focus on practical advice such as avoiding phishing emails, using campus resources like the VPN, securing physical devices, and adjusting privacy settings on social media. Encourage participation by linking it to services students care about, such as residence hall network access.
By training students, the institution protects its network and fosters a cyber-aware culture among future professionals.
Annual videos alone will not change user behavior. Many institutions implement ongoing training that simulates phishing emails and uses other interactive exercises. Organizations that combine frequent training with phishing tests saw up to 96% improvement in users' phishing detection ability (Grimes & Kraemer, 2023).
Conduct phishing tests regularly and share metrics with users and campus leadership. A monthly "phish report" detailing the number of phishing attempts users reported to security gamifies the process and maintains awareness throughout the year (Blum, Sherry, & Schaufler, 2020).
Half of universities already require extra training for users who repeatedly fail phishing tests (Burns, Robert, & Muscanell, 2023). Establish clear thresholds, such as requiring additional training for users failing more than twice per year, and review results regularly to adjust the program.
Supplement mandatory training modules with newsletters, infographics, posters, webinars, and security tip campaigns (Burns, Robert, & Muscanell, 2023). Different people learn in different ways, so bite-sized tips, such as a monthly security tip email or campus signage, reinforce the formal training.
Welcome week events are a great time to get the security message in front of new students; some institutions set up information kiosks with inexpensive reminders such as stickers or pens. Many institutions hold an annual Cybersecurity Awareness Month event in October with contests, guest lectures, or "spot the phish" games to engage faculty, staff, and students.
Employ different training methods and make training ongoing, not an annual "check the box" formality.
No university wants to be the outlier that neglected training and then suffered a preventable breach. Highlighting successful security awareness initiatives from peer institutions builds credibility and fosters leadership support. Benchmarking data can show that enhancing security programs aligns with practices across higher education.
Princeton University's program, launched in 2016, improved security culture with resources like the Phish Bowl repository, and shifted the narrative from "users are the weakest link" to making users the "last line of defense," which led to improvements in password habits and reduced phishing click rates over time (Blum, Sherry, & Schaufler, 2020).
Enforcing mandatory security training is a growing trend in academia. Universities including the University of North Carolina and the University of Minnesota now require annual security awareness training for all, and many have introduced measures such as revoking user accounts for non-compliance (University of Minnesota, 2019; University of North Carolina at Chapel Hill, 2019). Case studies show that investing in awareness leads to tangible results, not just compliance.
Clearly link training metrics to leadership priorities: compliance, incident prevention, and reduced operational risk. Emphasize that maintaining annual completion rates above 95% satisfies auditors and significantly strengthens eligibility for cyber insurance (Burns, Robert, & Muscanell, 2023).
Show how phishing simulation programs can cut click rates in half within months and up to 85% over a year, resulting in fewer compromised accounts and lower incident response costs (Grimes & Kraemer, 2023). Use internal data to show progress: "After our pilot training last year, our phishing click rate dropped from 20% to 8%, and we aim to get it below 5% like industry leaders."
If detailed statistics are difficult to gather, highlight qualitative benefits such as improved cybersecurity culture, using feedback surveys or anecdotes.
The goal is not only to propose actions but to justify them. Combining peer benchmarking ("85% of similar universities do this; we should not fall behind") with risk reduction statistics ("structured training can reduce incident rates by up to 70%") provides a compelling argument for investing in training improvements (Keepnet, 2024).
Effective security awareness training has become an essential component of cybersecurity management for higher education institutions. However, data from CampusCISO and industry benchmarks shows significant variation in the effectiveness of existing programs. Institutions can bridge these gaps through a deliberate, structured approach:
By following these recommendations, institutions can achieve demonstrable improvements in cybersecurity resilience: fewer successful phishing incidents, stronger compliance with security policies, and reduced risk from costly breaches.
Alder, S. (2023). How Often is HIPAA Training Required? The HIPAA Journal.
Blum, D., Sherry, D., & Schaufler, T. (2020). Case Study: Transforming Princeton's Security Culture Through Awareness. ISACA Journal.
Bradley, P. (2024). Gone Phishing 2023: Here Are the Results! Tripwire State of Security.
Burns, S., Robert, J., & Muscanell, N. (2023). EDUCAUSE QuickPoll Results: Growing Needs and Opportunities for Security Awareness Training. EDUCAUSE Review.
Chew, T. S. (2023). Considerations for Developing Cybersecurity Awareness Training. ISACA Journal.
George Mason University. (2025). IT Security Awareness Training Info.
Gordon, W. J., Wright, A., & Aiyagari, R. (2019). Assessment of Employee Susceptibility to Phishing Attacks at U.S. Health Care Institutions. JAMA Network Open.
Grimes, R. A., & Kraemer, M. J. (2023). Data Confirms Value of Security Awareness Training and Simulated Phishing. KnowBe4.
Jacobs, J. L., Haney, J. M., & Furman, S. M. (2022). Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Mixed-Methods Study. NIST.
Just, J. (2025). What is a Good Completion Percentage for Security and Compliance Training? KnowBe4.
Keepnet. (2024). 2025 Security Awareness Training Statistics.
National Archives. (2025). 5 CFR 930.301. Code of Federal Regulations.
Office of the State Auditor. (2024). Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies. Mass.gov.
Ross, R., & Pillitteri, V. (2024). NIST SP 800-171r3: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST.
Spitzner, L. (2023). The What & How of Role Based Security Awareness Training. SANS.
U.S. Department of Health and Human Services. (2024). Security Awareness and Training. HHS.gov.
University of Minnesota. (2019). Information Security Awareness, Education and Training Standard.
University of North Carolina at Chapel Hill. (2019). Mandatory Security Awareness Training.
University of Oregon. (n.d.). Security Awareness Training Program.
Wilson, M. (2006). FISMA & OPM Awareness & Training Requirements & Related NIST Guidance. NIST.
Zawacki, E., & Maslanka, J. (2020). Mandatory Security Awareness Training for Faculty & Staff. UIC Today.
See how CampusCISO helps higher education security leaders turn an honest assessment into a prioritized, board-ready roadmap.
Explore the three lenses