The Effectiveness of Cybersecurity Awareness Training Programs in Mitigating Social Engineering Attacks: A Systematic Literature Review
Keywords:
Cyber Security, Awareness Training, Phishing, Social Engineering, Systematic Literature ReviewAbstract
Phishing attacks are one of the most persistent cyber threats that exploit human behavioural vulnerabilities, making technical defences alone insufficient. In response, organisations have widely implemented Security Awareness Training (SAT) programmes, but their effectiveness, especially in the long term, remains a subject of debate, with findings often contradictory across various studies. This study aims to synthesise and evaluate the latest empirical evidence on the effectiveness of SAT programmes in mitigating social engineering and phishing attacks. The method used is a Systematic Literature Review (SLR) of 11 empirical studies and relevant meta-analyses published between 2021 and 2025, selected based on strict inclusion and exclusion criteria. The analysis results indicate that training programmes significantly reduce users' vulnerability to phishing in the short term. However, this effectiveness diminishes over time due to the knowledge decay effect, where knowledge can revert to its initial level within a few months. The main challenges identified include
training fatigue and the lack of valid metrics, while the critical success factors are continuous reinforcement, the use of interactive methods such as gamification, and strong leadership support. In conclusion, a one-off training approach is insufficient; to achieve sustainable behavioural change, organisations must adopt an integrated, interactive, and continuous training strategy.
References
A. Darem, “Anti-Phishing Awareness Delivery Methods,”Eng. Technol. Appl. Sci. Res., vol. 11, no. 6, pp. 7944–7949, 2021, doi: 10.48084/etasr.4600.
J. Nijland, “Gamification of Cyber Security Awareness Training for Phishing against University Students,” 2022.
D. Mercuri, “Enhancing Cybersecurity Awareness : Mitigating Phishing Risks for Employees in a Small Company,” 2025.
L. Pinto, C. Brito, V. Marinho, and P. Pinto, “Assessing the Relevance of Cybersecurity Training and Policies to Prevent and Mitigate the Impact of Phishing Attacks,” J. Internet Serv. Inf. Secur., vol. 12, no. 4, pp. 23–38, 2022, doi: 10.58346/JISIS.2022.I4.002.
D. Hillman, Y. Harel, and E. Toch, “Evaluating organizational phishing awareness training on an enterprise scale,” Comput. Secur., vol. 132, p. 103364, 2023, doi: 10.1016/j.cose.2023.103364.
B. Alkhazi, M. Alshaikh, S. Alkhezi, and H. Labbaci, “Assessment of the Impact of Information Security Awareness Training Methods on Knowledge, Attitude, and Behavior,” IEEE Access, vol. 10, no. December, pp. 132132–132143, 2022, doi:10.1109/ACCESS.2022.3230286.
M. Engineering, K. Alluqmani, A. E. Karrar, M. Alhaidari, and R. Alharbi, “Assessing the Efficacy of Security Awareness Training in Mitigating Phishing Attacks : A Review,” vol. 14, no. 3, 2025.
D. Sikolia, D. Biros, and T. Zhang, “How Effective are SETA Programs Anyway: Learning and Forgetting in Security Awareness Training,” J. Cybersecurity Educ. Res. Pract., vol. 2023, no. 1, 2023, doi:10.32727/8.2023.13.
A. A. Alhashmi, A. Darem, and J. H. Abawajy, “Taxonomy of Cybersecurity Awareness Delivery Methods: A Countermeasure for Phishing Threats,” Int. J. Adv. Comput. Sci. Appl., vol. 12, no. 10, pp. 29–35, 2021, doi: 10.14569/IJACSA.2021.0121004.
“EFFECTIVENESS OF INFORMATION-SECURITY AWARENESS TRAINING TO PREVENT SUCCESS OF SOCIAL ENGINEERING IN HEALTHCARE : A META-ANALYSIS Samenvatting Social Engineering,” no. June, 2024.
M. F. Ansari, “An Effective Cybersecurity Awareness Training Model: First Defense of an Organizational Security Strategy,” Int. Res. J. Eng. Technol., vol. 9, no. 4, pp. 1–6, 2022.
J. Hielscher et al., “Selling Satisfaction: A Qualitative Analysis of Cybersecurity Awareness Vendors’ Promises,” CCS 2024 - Proc. 2024 ACM SIGSAC Conf. Comput. Commun. Secur., pp. 2666–2680, 2024, doi:10.1145/3658644.3690196.
Helmiawan, M. A., & Wiharko, T. (2018). Application of Fingerprint Security System on Motorcycles using Arduino Microcontroller. J-Tin’s-Jurnal Teknik Informatika, 2(1).
Helmiawan, M. A., Juna, D. I., & Ramdhani, B. (2018). Pengamanan Sistem Dan Data E-Voting Berbasis Network. INTERNAL (Information System Journal), 1(1), 1–10.
Helmiawan, M. A., Firmansyah, E., Fadil, I., Sofivan, Y., Mahardika, F., & Guntara, A. (2020). Analysis of web security using open web application security project 10. 2020 8th International Conference on Cyber and IT Service Management
Helmiawan, M. A., Julian, E., Cahyan, Y., & Saeppani, A. (2021). Experimental evaluation of security monitoring and notification on network intrusion detection system for server security. 2021 9th International Conference on Cyber and IT Service Management (CITSM ….
Helmiawan, M. A., Fadil, I., Sofiyan, Y., & Firmansyah, E. (2021). Security model using intrusion detection system on cloud computing security management. 2021 9th International Conference on Cyber and IT Service Management (CITSM ….
Helmiawan, M. A., & Nasution, A. I. (2022). The Effect of Internet Banking Use and Customer Protection Against Cyber Crime at Bank Rakyat Indonesia. Journal of Islamic Economics and Business, 2(2), 170–183.