2024.04.26
2026.06.29
Introducing common challenges and solutions for internal information security training!

In recent years, various damages have been reported, such as targeted attacks and ransomware attacks aimed at organizations and companies, as well as information security incidents caused by rule violations.
Specifically, typical examples include accessing unauthorized websites, opening spoofed emails, and careless removal or loss of confidential data. To prevent these, it is necessary for all employees to acquire knowledge about information security. Therefore, many companies are focusing on information security education, but there are quite a few cases where it has not been sufficiently effective or where challenges arise in the operation of the training.
Therefore, this time, we will explain the types of problems, actual cases that have occurred, and methods to resolve them in information security education for employees. Furthermore, we will also introduce points to enhance the effectiveness of the education.
Table of Contents
1. Background on the Importance of Information Security Education
2. Issues Threatening Information Security
3. Real Cases of Information Security Issues
4. Common Challenges in Internal Information Security Education
5. Solutions to Challenges in Internal Information Security Education
6. Points to Enhance the Learning Effectiveness of Information Security Education
7. Summary
1. The Importance of Information Security Education

First, let's organize the background in which information security training in companies is becoming increasingly important.
1. Increase in Cyber Attacks and Rising Threats
The number of cyber attacks in Japan continues to increase, and their methods are becoming more diverse and sophisticated. According to the Ministry of Internal Affairs and Communications' "Information and Communications White Paper (2024 edition)," the large-scale cyber attack monitoring network operated by NICT (National Institute of Information and Communications Technology) observed approximately 686.2 billion packets of cyber attack-related communications in 2024, which is 10.86 times the approximately 63.2 billion packets observed in 2015.
(Illustration) Trends in the number of communications related to cyber attacks in NICTER
2. Risk of Significant Economic Loss
The same white paper also summarizes the results of various organizations' surveys and analyses regarding the economic losses caused by cybersecurity-related troubles. For example, let's introduce a survey conducted by Trend Micro. In Japan, the 2024 fiscal year survey shows that the average cumulative damage amount for corporate organizations affected by cyberattacks over the past three years is 171 million yen, which is an increase of approximately 46 million yen compared to one year ago.
(Illustration) Table II-1-10-5 Economic Losses Caused by Cybersecurity Issues

Illustration extracted from Economic losses caused by cybersecurity issues
3. Strengthening of Legal Regulations
Taking the amended Personal Information Protection Law, which was fully enforced in April 2022, as a representative example, legal requirements related to information security have become stricter in Japan as well. Furthermore, it is stipulated that these laws be reviewed every three years, and companies and organizations are required to update their knowledge regarding information security in order to comply with these laws.
4. Enhancing Corporate Value and Reliability
Companies with a well-established information security management system are more likely to be trusted by customers and business partners. In other words, companies can enhance their reliability and corporate value through information security training.
5. The Need to Adapt to the Evolution of Threats
As information security threats are evolving daily, employee training must be conducted regularly based on the latest insights. Through training, we can cultivate personnel who can respond appropriately.
In this way, there are multiple factors behind the importance of information security education, all of which are crucial elements related to the survival of a company.
2. Issues Threatening Information Security
Threats targeting corporate information assets are becoming increasingly sophisticated and diverse year by year. In addition to external cyberattacks, risks also include internal misconduct and negligence, as well as system failures. This chapter organizes the main types of these issues.
● Cyberattacks by Third Parties
There are various tactics used by third parties, including malware, trojans, ransomware, targeted attacks, business email compromise, unauthorized access, and supply chain attacks. Such attacks target a company's confidential information and pose serious risks, including business disruption and financial damage.
● Internal Negligence and Fraud
There are cases where minor employee mistakes, such as accidentally sending confidential data externally or losing a USB memory device where data is stored, lead to major information leaks. Furthermore, intentional unauthorized access and data tampering are also significant issues.
● Intentional Information Leakage by Related Parties
There are cases where former employees or business partners intentionally take information out. Especially when external parties are involved, management tends to be insufficient, so extra caution is necessary.
● System Failures
System failures such as server downtime, network outages, and software malfunctions also pose serious risks to information security. These troubles not only halt business operations but also incur recovery costs and impact business partners, which cannot be ignored.
As such, the factors that threaten information security are diverse, both external and internal. Additionally, one of the causes of damage expansion is employees' "lack of knowledge" and "insufficient awareness." Therefore, it is important to thoroughly implement in-house training so that all employees understand security risks and can take appropriate actions.
3. Actual Cases of Information Security Issues
Threats to information security occur daily in reality. When incidents happen within companies, there are many cases where the damage expanded due to insufficient employee education and awareness. Here, we will look at actual cases and consider the importance of education.
〈Case.1〉Information Leakage by an Employee of a Financial Institution
An employee of a domestic credit union took work documents containing customer information home, resulting in the potential leakage of personal information of 2,375 individuals. As a result of the investigation, the credit union cited "insufficient compliance awareness and education for employees" and "inadequate management and supervision by supervisors during work" as factors contributing to the incident.
〈Case.2〉Accidental Email Transmission of Personal Information File by an Education-related Company
A person in charge at a company providing educational services mistakenly attached and sent a CSV file containing personal information of approximately 23,000 individuals without password protection when sending an email to about 50 specific members. The leaked information included names and contact details, and some contained important information such as bank branch names and account holders, causing significant anxiety and confusion among customers and related parties.
〈Case.3〉Access Permission Error of Client Information at a Human Resources Service Company
A flaw in the system of a company providing human resources services was discovered, allowing approximately 540,000 corporate client records to be viewed by agencies without proper access permissions. Information about recruitment staff, which did not need to be shared with agencies, was reportedly accessible by agencies and 1,164 subcontractors for six years.
〈Case.4〉Loss of USB Memory in an Automobile Dealer Company
An employee of an automobile dealer company saved customer information on a USB memory for work purposes and lost it when taking it outside the company. Although the USB memory was later recovered, it is unclear whether it was password protected, and there is concern that information may have leaked during the period before recovery. Approximately 3,000 customer records were stored on this USB memory.
These cases are not only due to "system vulnerabilities" but also because of employees' lack of knowledge and insufficient awareness, which have contributed to the expansion of the damage. In other words, technical measures alone are insufficient, and information security education for employees can be said to be the "key to countermeasures."
4. Common Challenges in Internal Information Security Training
Information security training is highly important, but when trying to implement it within the company, various challenges may arise. Let's take a look at some common issues that many companies face.
Issue 1: Participants' concentration does not last
Monotonous content, long lectures, and one-sided lecture formats can cause participants to lose concentration. Additionally, when internal staff serve as instructors, there may be a lack of tension or seriousness.
Issue 2: Training content lacks realism
Especially in classroom-based training, it can be difficult to visualize real-life scenarios, and participants may proceed with learning without fully understanding the content. As a result, there is a possibility that they may not take the correct actions when trouble actually occurs.
Issue 3: Latest trends and information are not reflected
In the field of information security, new attack methods and countermeasures are continuously being announced. Constantly reflecting this latest information in training materials can be a significant burden for companies that conduct in-house training, and it may take time to prepare and implement.
Issue 4: No perceived educational effect
If there are no follow-up or review opportunities after training, knowledge about information security may not be retained, and a sense of crisis may diminish. As a result, there tends to be a problem where the effectiveness of the education is not felt.
Issue.5 The training itself has become a mere formality
If issues like those in 1 to 4 are left unaddressed, there is a risk that participants will lose interest and engagement, turning the training into a mere routine. Additionally, participants may fail to find the purpose and significance of the training, which could lead to a decline in their motivation to learn.
To provide high-quality learning, it is necessary to be aware of such challenges and continuously review the training programs and educational materials.
5. Solutions to Challenges in Internal Information Security Training
In the previous chapter, we discussed common challenges in information security training, and here we will introduce specific methods to address those challenges.
Solution to the Issue.1 Implement training that involves practical experience, such as email training
Practical training to counter targeted attacks and phishing emails is very effective. For example, in email training, participants can receive training to identify suspicious emails through a simulated experience of phishing emails. Additionally, training that simulates the response and reporting procedures within the organization, assuming a targeted attack has occurred, is also effective.
Both types of training lead to the acquisition of skills that are applicable in real-world scenarios.
Solution to the Issue.2: Utilize e-learning to provide a flexible learning environment
E-learning, a learning method that utilizes the internet, provides a flexible learning environment regardless of time or place. Therefore, participants can study at a convenient time, allowing them to absorb knowledge efficiently.
Additionally, e-learning offers various formats such as videos and quizzes, making it easier to maintain concentration without getting bored. Furthermore, a wide range of e-learning materials that keep up with current trends are available, enabling easy access to the latest information.
Solution to the Issue.3> Measure educational effectiveness and implement follow-up
After the training, it is recommended to conduct an "effectiveness measurement" to understand how well the participants have comprehended the learning content. Through effectiveness measurement, the results and impact of the training can be objectively evaluated, which also helps improve teaching methods and materials. Additionally, it can lead to future follow-up with the participants.
Methods of effectiveness measurement include administering tests or quizzes related to the training content to assess understanding, as well as collecting responses via surveys on the training content, instructor evaluation, and satisfaction with the materials, among various other approaches.
By incorporating these solutions, various benefits such as acquiring practical skills, increasing motivation, and solidifying knowledge can be expected.

6. Points to Enhance the Learning Effectiveness of Information Security Education

Solutions to the challenges of information security education also lead to improved learning outcomes. Here, in addition to the solutions introduced in the previous chapter, we will share points to further enhance learning effectiveness.
Points to Enhance Learning Effectiveness.1: Decide on the format of the training based on the participants
There are various formats for conducting training. It is effective to flexibly combine formats according to the participants' work situations, learning styles, and the objectives of the training.
〈Examples of Implementation Formats〉
■In-house Lectures
Experienced employees serve as instructors and conduct training within the company. Because they can provide unique, real information specific to the company, participants acquire practical knowledge and skills. However, since the instructor is someone from within the company, it is important to maintain a sense of seriousness.
■Invite External Instructors
This format involves inviting external experts and authorities to conduct seminars or lectures. As professionals, they are well-versed in the latest knowledge and trends, allowing participants to receive highly up-to-date information.
■Participate in External Training
By participating in external training sessions or seminars, participants can focus on learning in an environment away from their daily routine. Additionally, they gain opportunities to learn about other companies' initiatives and knowledge.
■e-Learning
e-Learning, equipped with flexibility and convenience, allows participants to study according to their schedules and environments. Another advantage is that it is easy to manage learning progress and conduct effectiveness assessments.
Points to Enhance Learning Effectiveness.2 Choose Customizable Teaching Materials
In the field of information security, security policies and the know-how required for operations vary by company and industry. Therefore, by choosing teaching materials that can be customized for your own company, you can provide learning that is more practical and relevant.
Point 3 to Enhance Learning Effect: Create a System for Manualization and Information Sharing
Information security training is not only about conducting training sessions but also about creating a system for sharing information such as manuals and incident cases. By sharing the latest information and measures related to information security and accumulating know-how, employees can deepen their common understanding.
By implementing these points, it is expected that the quality of education will improve and deep learning will be promoted.
7. Summary

The frequent news of information leaks and loss incidents. These troubles not only lead to economic losses such as damages but also carry the risk of instantly collapsing the trust and image that a company has built over time. This is why strengthening security is essential for companies, and information security education holds significant importance.
This time, we have explained various risks of information security, common challenges and solutions in information security education, and points to enhance learning effectiveness. As the first step, how about providing an environment where employees receiving the training can learn with motivation?
Therefore, we recommend learning using e-learning. In addition to the convenience of being able to study anywhere as long as there is an internet connection, it is also attractive that a wide variety of information security-related materials are widely available. Furthermore, ease of operation and cost performance can also be considered advantages.
At Human Science, we offer e-learning services tailored to customer needs, such as the "e-Training Portal (Online Training)," which allows you to take e-learning courses starting from one course for one month, and the customizable "e-Training Educational Material Manuscript Sales."
If you are interested, please refer to the e-learning site of Human Science Co., Ltd.
Related Information
Latest Blogs
- 2026.06.17
- How to Use PowerPoint × Vyond Effectively











