Cyber security awareness campaigns in the age of Artificial Intelligence (AI): Do they still fail to change behaviour?

Cyber security awareness and training programmes are the primary mechanism used to manage risks associated with people within organisations and across countries. Ten years ago, we examined such campaigns and identified several factors that explained why they often fail to bring about the intended behaviour change. Since then, the security landscape has evolved substantially, with developments such as generative artificial intelligence (AI), remote working, and increasing security fatigue introducing new and significant risks. In this paper, we conduct an updated analysis to examine whether more recent security awareness campaigns have improved and are consequently more likely to result in behaviour change. Specifically, we present a ten year retrospective of national cyber security awareness campaigns (2015–2025) across five global regions. Through thematic analysis of campaign materials, we identify continued reliance on fear based, information-heavy messaging, inconsistent calls to action, and persistent structural barriers. We conclude that without realignment to behavioural drivers and real-world constraints, particularly in an AI-augmented threat landscape, awareness campaigns are likely to repeat familiar failures.