Security Awareness Training (SAT)
The legacy compliance-driven training category — annual e-learning modules and click-rate phishing tests — that Human Risk Management is now replacing.
Security Awareness Training (SAT) is the cybersecurity category Gartner used through the 2010s to describe the annual or quarterly delivery of e-learning modules, posters, and simulated-phishing campaigns intended to reduce employee-driven risk. In 2024 Gartner formally folded SAT into the broader Security Behavior and Culture Programs (SBCP) market guide and signaled that the next replacement category is Human Risk Management — because awareness, on its own, does not change behavior.
SAT is not useless. It produces three real outputs:
- Compliance evidence. Annual completion records satisfy the literal letter of clauses in ISO 27001 Annex A.6.3, SOC 2 CC1.4, PCI-DSS 12.6 and HIPAA §164.308(a)(5).
- Baseline literacy. Employees who have never seen a phishing example benefit from seeing one — once.
- Click-rate telemetry. Simulated phishing campaigns give the security team a coarse number to track.
What SAT does not produce is durable behavior change. The knowledge-behavior gap literature is consistent: employees who pass the quiz still click the link, still grant the OAuth scope, still reuse the password. Verizon’s Data Breach Investigations Report has held the human-element share of breaches between 68% and 82% every year since 2020, despite SAT being a near-universal control across enterprises.
The structural reasons SAT under-delivers are well documented:
- Timing mismatch. Training fires on a calendar, not at the moment a risky decision happens.
- Goodhart’s Law in action. When click-rate becomes the target, security teams optimize the simulation difficulty rather than the underlying risk. See Goodhart’s Law.
- Forgetting curve. Single-session retention collapses in days, not months — Ebbinghaus, 1885. See forgetting curve.
- No behavioral baseline. SAT measures who watched the video. It does not measure what the workforce does before or after.
Engarde (engarde.cc) treats SAT as one ingredient — microlearning content lives in the library — but the operating model is HRM: observe behavior, intervene in-channel, produce behavioral evidence.
Related terms
- Human Risk Management (HRM)The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.
- Knowledge-behavior gapThe empirically documented gap between what employees know about cybersecurity and what they actually do at the moment of decision.
- Behavioral KPIA risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.
- MicrolearningShort, focused learning units — typically 30 seconds to 3 minutes — that fit inside the working day and survive the forgetting curve.
- NudgeA small, contextual intervention that steers a person toward a safer choice without restricting freedom — the unit of work behind behavior-centered cybersecurity.