The Security Awareness and Training (SAT) market exceeds multiple billion dollars annually, yet reliable data on organizational adoption remains scarce. Conflicting, survey-based figures from cybersecurity vendors leave researchers and decision-makers reliant on questionable insights. A new U.S. Securities and Exchange Commission (SEC) regulation, effective since late 2023, requires companies to disclose cybersecurity strategies in annual Form 10-K filings, offering a more consistent data source. In this study, we crawl and analyze filings from 5,286 U.S. companies across diverse sectors and sizes, using keyword searches and thematic analysis, which offers a lower-bound estimate of prevalent topics. We find that 78% of companies report implementing SAT and 27% conduct phishing simulations, with adoption varying significantly by sector and size. Larger companies report more extensive SAT efforts, often aligned with standards like NIST CSF. While multi-factor authentication (11%) is the most common employee-facing security control, many filings frame employees as a risk factor. Our findings help organizations critically assess SAT strategies and vendor claims, offer actionable insights for policymakers, and equip scholars with a coded dataset and crawling tools for ongoing longitudinal analysis.
ACM Conference on Computer and Communications Security (CCS)
2025-10
2025-08-14