Does Security Awareness Training Actually Work? The Data, the Reality, and What Companies Should Do Instead

Your organization probably spent tens of thousands of dollars on security awareness training last year. Your completion rate was likely 95% or higher. Your employees watched videos, passed quizzes, and checked the box. Yet human error still drives the majority of breaches.

The disconnect is not accidental. It’s a design problem.

Annual security awareness training—the industry standard—is almost useless at preventing real-world breaches. Research consistently shows it fails not because the concept is flawed, but because of how it’s implemented. This is what separates security theater from actual security.

The good news: when trained correctly, awareness programs deliver measurable, substantial risk reduction and strong financial ROI. The bad news: most organizations are not doing it correctly.

The Problem: The Crisis of Evidence

The Elephant in the Room: UC San Diego’s Inconvenient Truth

In September 2025, researchers at UC San Diego Health published findings from the largest study of security awareness training effectiveness ever conducted. The results were damning.

Over eight months, they tracked 19,500 employees across 10 different phishing campaigns. They measured the impact of embedded anti-phishing training—training delivered directly within the system itself, not even the minimal annual checkbox variety.

The finding: Training reduced phishing susceptibility by only 2%.

Even more troubling: employees’ behavior actually worsened over time. In month one, only 10% clicked phishing links. By month eight, more than half had clicked at least once.

This wasn’t due to training apathy. The UC San Diego Health organization had implemented one of the best-practice models: training embedded in their system, targeting recent clickers. It should have worked. It didn’t.

Why? Because training that is infrequent—even if “embedded”—creates a false sense of security that evaporates exactly when employees need it most: under deadline pressure, distracted, in their normal work chaos.

The Knowledge Decay Wall: Six Months Is the Threshold

A 2025 analysis of phishing training effectiveness across industry data revealed a hard truth about human memory: training effects begin to fade after four months and largely disappear after six months without reinforcement.

Let that sink in. If your organization conducts annual training in December, by June your employees are roughly as vulnerable as they were before the training. The knowledge has not just dimmed—it has left the building.

This is not a criticism of training itself. It’s cognitive science. It’s the Forgetting Curve, documented 150 years ago by Hermann Ebbinghaus.

The problem: organizations build their entire compliance narrative around annual training, which directly contradicts what cognitive science tells us about learning retention.

The Blind Spot: Why Executives Overestimate Impact

If annual training doesn’t work, why do so many security leaders and CISOs believe in it?

The answer lies in what gets measured.

The Metrics That Lie

Most organizations measure training success through:

• Completion rates (“95% of employees finished the course”)
• Quiz scores (“Average score was 84%”)
• Attendance (“All 500 employees took the training”)

None of these correlate with real-world incident reduction.

A 2024 qualitative study of cybersecurity awareness programs in the UK confirmed that employees who ace training assessments perform no better than untrained colleagues when faced with realistic phishing attempts months later.

More striking: a mandatory training study at a hospital system tracked employees designated as “high-risk” (repeat phishing clickers). After the organization offered mandatory training to this group, they remained more likely to click on phishing emails than their lower-risk peers. The training did not move the needle.

A 2026 industry analysis revealed that 62% of awareness leaders lack visibility into whether their training actually reduces human-driven risk. They see the training was completed; they have no idea if it prevented a breach.

Why the C-Level Confidence Gap Exists

From a leadership perspective, annual training looks great:

• It’s cheap per employee ($23–$30 depending on vendor).
• It’s easy to report (“95% completion achieved”).
• It’s clearly an audit box (“Security Awareness Training: ✓ Completed”).
• It feels proactive without requiring operational change.

The gap between executive assumptions and reality is enormous. Executives think: “We trained them, so they should be more secure.” In practice, employees trained once a year are less secure than employees in a continuous, reinforced program. This is not a knowledge problem. It’s an accountability and measurement problem.

The Solution: What Actually Works

Before you abandon training entirely, understand what the evidence actually supports: Continuous, behavior-focused security awareness programs deliver substantial risk reduction.

The Best Data: Real-World Scale

KnowBe4’s 2025 benchmarking analysis examined 67.7 million phishing simulations across 14.5 million users from 62,400 organizations globally. The findings are clear:

• Baseline: Among untrained employees, 33.1% (one in three) interact with phishing simulations.
• After 3 months of continuous training: Phish-prone percentage drops 40% to 19.9%.
• After 12 months of continuous training: Drops 86% to 4.1%.

This is not vendor marketing. This is aggregated, real-world behavior across hundreds of thousands of employees across industries.

The Osterman Research ROI model calculated that continuous security awareness training delivers:

• Small orgs (50–999 employees): 69% ROI
• Large orgs (1,000+ employees): 562% ROI

For a 500-person company, this means $75,000 in annual savings from prevented incidents against training costs of ~$12,000. For a 5,000-person company, it’s $1.9 million in savings against training costs of ~$87,500.

If your organization experiences even one prevented breach per year, and that breach would cost $2–4 million, then awareness training becomes one of the highest-return security investments available.

The Science: Point-of-Error Training Changes Behavior

A 2025 meta-analysis revealed that training delivered at the moment an employee makes a mistake is 40% more effective than generic training delivered elsewhere.

Here’s why: When an employee clicks a phishing link and immediately receives targeted training explaining their error, they are far less likely to repeat it. About 70% of employees who failed once and received immediate feedback did not click on another phishing email.

Contrast this with annual training: By the time the employee faces a real phishing email months later, the training moment is completely disconnected from reality. The brain does not encode learning under these conditions.

This is called just-in-time training, and it’s one of the most evidence-backed approaches in the security awareness literature.

Spaced Repetition: The Forgetting Curve as Design Principle

Cognitive research spanning 150+ years shows: spaced repetition with increasing intervals dramatically improves retention.

Instead of one 45-minute training in December, employees retain information far longer when exposed to material multiple times across weeks or months:

• Review after 1 day
• Review after 3 days
• Review after 1 week
• Review after 1 month

This pattern mirrors how the brain actually consolidates information into long-term memory. It feels less efficient than a single session, but it produces retention that lasts years, not months.

A Brandon Hall Group study found that personalized learning approaches—combining spaced repetition, microlearning, and role-specific content—improved employee engagement by 55% and retention by 78% compared to standardized annual training.

The Reality: Why the Current Model Breaks in Operations

As I noted in my September post, the gap between training and real operations is a design flaw. The data now quantifies exactly where it breaks.

The Sterile Lab vs. Production Reality

Training is typically delivered in a sterile environment:

• Clean test systems with no system noise
• No time pressure or competing priorities
• No alert fatigue from security tools
• No business deadlines screaming for action

Real-world operations are the opposite:

• Employees juggle dozens of tasks simultaneously
• Security alerts blend with legitimate operational noise
• Email volumes are high and decision time is low
• Pressure and fatigue are constant

A 2025 analysis noted that simulations conducted in “realistic environments with network noise, time pressure, and competing priorities” showed dramatically better transfer to real-world behavior than simulations in clean, controlled settings.

Yet most training is delivered in exactly the opposite way: stripped of context, divorced from job reality, and utterly generic.

One-Size-Fits-All Content Is Systematically Ineffective

Finance teams face invoice fraud. Marketing faces campaign phishing. IT faces credential compromise. Executives face spear-phishing.

Yet most organizations deliver the same 45-minute video to all of them.

The 2024 UK study found that the most commonly reported complaint was generic training content that felt irrelevant to participants’ actual work. Generic content drives disengagement, and disengagement drives zero behavior change.

Research on role-specific training shows that when content is tailored to actual job threats, employees engage more deeply, retain more, and apply more—resulting in significantly lower phishing susceptibility and higher reporting rates.

The Repeat Offender Problem: Why Mandatory Training Fails for High-Risk Users

Here’s something that disturbs most security leaders: mandatory training for high-risk employees (those who repeatedly click phishing simulations) often doesn’t improve their behavior.

Why? Because passive video-based training assumes the problem is knowledge. But the problem is often attentional, behavioral, or contextual. A person who clicks phishing emails under deadline pressure usually knows better—they’re distracted, tired, or overwhelmed.

Training that only increases knowledge without changing the working environment, reducing cognitive load, or addressing the attentional factors that drove the mistake, will fail.

Modern programs address this by combining training with:

• Workflow optimization (making secure behavior easier)
• Technical controls (preventing risky behavior at the system level)
• Behavioral nudges (gentle prompts in the flow of work)
• Targeted remediation (training specific to the behavior that failed)

The Evidence: The Science Behind What Works

Continuous > Annual: The Industry Standard

CIS Control 14 (the industry benchmark for security awareness), NIST SP 800-50 (federal guidance), and SANS Institute all converge on the same recommendation: training should be ongoing, frequent, and reinforced, not annual.

Specific guidance:

• Baseline: Annual comprehensive training (required for compliance and knowledge foundation)
• Reinforcement: Quarterly or monthly micro-trainings, phishing simulations, or role-specific updates
• Event-based: Immediate training after security incidents or policy changes
• High-risk users: Monthly training or weekly/biweekly simulations

A 2025 industry analysis noted that the “most significant change in behavior” comes from using simulations as ongoing training tools, combined with targeted remediation for specific failures. The recommendation: baseline quarterly training for all employees; monthly for lower-confidence cohorts.

Nudge Theory: Behavioral Economics Meets Security

Over the past five years, behavioral science has entered security awareness through nudge theory, developed by Nobel Prize-winning economist Richard Thaler.

The core insight: people make better decisions when prompted at the right moment, in the right context, without removing their autonomy.

Practical examples:

• Social proof: “92% of your peers have enabled multi-factor authentication”
• Timely prompts: Just-in-time nudges when an employee is about to take a risky action
• Default options: Making the secure choice the default (e.g., automatically flagging external email senders)

A UK-based organization using real-time email nudges reported a 300% increase in phishing email detection within six months. These nudges work because they interrupt automatic behavior and trigger conscious decision-making at the moment it matters.

Importantly, nudges are most effective when paired with actual training and reinforcement. Nudges alone cannot build knowledge—but combined with ongoing learning, they dramatically increase the probability that employees apply what they’ve learned.

Adaptive AI-Driven Training: Personalization at Scale

The frontier of security awareness is adaptive, AI-driven training that:

• Analyzes individual behavior: Tracks phishing click rates, reporting habits, incident response speed
• Scores risk: Groups employees by risk level based on actual behavior
• Personalizes content: Delivers training tailored to role, past performance, and identified gaps
• Triggers interventions: Automatically assigns microlearning after failures, delivers nudges in Slack/Teams/email, adjusts difficulty based on progress

Organizations implementing AI-driven adaptive training report:

• 72% reduction in phishing susceptibility vs. static programs
• Up to 90% reduction in high-risk behaviors
• 87% reduction in successful phishing attacks (in a financial services case study)

The key difference: adaptive training focuses on behavior change, not completion. It measures whether employees actually perform more securely, not whether they finished the module.

The Business Case: ROI and the Financial Justification

If annual training is nearly useless and continuous training is expensive, is it worth it?

Yes—emphatically—but only if done correctly.

The Math: What Gets Prevented

The Osterman Research ROI model breaks down the costs of disinfection and remediation:

For a 500-employee organization:

• Average annual cost of remediating malware/ransomware (before training): $143,070
• After continuous training: $68,085
• Net savings: $75,000 annually
• Annual training cost: $11,500
• ROI: 69%

For a 5,000-employee organization:

• Average annual cost (before): $2,444,000
• After training: $551,050
• Net savings: $1,892,950 annually
• Training cost: $87,500
• ROI: 562%

Larger organizations see higher ROI because they experience more incidents. The investment scales.

Avoiding Catastrophic Events

The above model accounts for routine incidents. Consider a single major data breach:

• A 500-user organization faces a potential $1 million breach cost. If awareness training reduces breach likelihood by 80%, the expected cost reduction is $800,000 against training costs of ~$12,000 annually. ROI: 6,567%.
• A 5,000-user organization faces a potential $4 million breach cost. Expected cost reduction (80% risk reduction): $3.2 million. Training costs: ~$87,500. ROI: 3,657%.

This is not theoretical. Breaches resulting from human error (phishing, credential theft, misconfiguration) represent 70–95% of incidents. Reducing human risk directly reduces breach probability.

The Playbook: What Separates Effective Programs from Checkbox Exercises

Based on the research, here’s what the best-performing organizations are actually doing:

1. Annual Training as Baseline, Not the Entire Program

Annual comprehensive training (required by NIST, CIS, SANS):

• Covers foundational topics: phishing, passwords, data handling, incident reporting
• Ensures 100% reach and legal/compliance coverage
• Sets expectations and educates new hires

But: Stop treating it as the security awareness program. It’s the foundation. The program happens between trainings.

2. Continuous, Frequent Reinforcement

• Quarterly or monthly microlearning: Short (5–10 minute) refreshers on specific threats
• Monthly or biweekly phishing simulations: Test real behavior, provide immediate feedback
• High-risk user tracking: Identify repeat clickers and deliver targeted, more frequent training
• Event-based training: After incidents, breach, or policy change, send immediate targeted training

Cadence benchmark:

• Minimum: Annual training + quarterly simulations
• Strong: Quarterly training + monthly simulations
• Mature: Monthly training + weekly/biweekly simulations for high-risk users; nudges in Slack/Teams/email daily

3. Measure Behavior, Not Boxes

Stop reporting on:

• Completion rates
• Quiz scores
• Training minutes watched

Start measuring:

• Phishing click rates (simulation susceptibility)
• Reporting rates (near-miss identification)
• Repeat-click rates (behavior persistence)
• Time-to-report suspicious activity
• Actual incident reduction (user-driven incidents over time)

Connect training data to real breach data. Show leadership: “Since implementing continuous training, user-driven incidents dropped 40%.”

4. Personalize by Role and Risk

• Tier content: Finance gets invoice fraud training. IT gets privilege misuse training. Executives get spear-phishing training.
• Tier frequency: High-risk users get monthly training. Medium-risk get quarterly. Low-risk get annual + ad-hoc.
• Use behavior signals: AI can score risk based on phishing click history, reporting habits, and access patterns.

5. Use Just-in-Time Training and Immediate Feedback

When an employee clicks a phishing simulation:

• Immediate notification that they were tested
• 30-second to 2-minute targeted training explaining the attack and how to avoid it
• Auto-enrollment in follow-up if they continue to fail

This feedback loop—failure + immediate education + context retention—is 40% more effective than generic training.

6. Combine Training with Technical Controls

Training cannot replace technology. It must complement it:

• Email filtering: Advanced email security catches most phishing before employees see it
• Multi-factor authentication (MFA): Blocks 99.9% of automated attacks even if credentials are stolen
• User behavior analytics: Detects unusual account activity
• DNS filtering: Blocks known phishing domains
• Endpoint detection and response (EDR): Stops malware payloads delivered through phishing

If training fails (which it will, sometimes), technology catches it.

7. Build Security Culture, Not Compliance Theater

Organizations with the strongest outcomes don’t just train—they embed security into culture:

• Leadership models secure behavior: Executives enable MFA, report suspicious emails, attend training
• Safe reporting: Employees who report phishing are rewarded, not punished. Mistakes are learning opportunities.
• Transparency: Share near-miss data: “Last month, 47 employees reported phishing. 3 got through. Here’s what we learned.”
• Recognition: Celebrate security heroes. Share stories of prevented incidents.

Organizations that see training as “something IT makes people do” get checkbox compliance. Organizations that see training as “we all own security” get cultural change.

The Requirements: The Compliance Reality

For those asking: Yes, annual training is often a requirement.

NIST SP 800-53 (federal requirement):

• AT-2 (Security Training and Awareness): All personnel must receive annual training on security risks, safeguards, and responsibilities
• AT-3 (Role-Based Training): Personnel with significant security duties must receive role-based training before access and annually thereafter

CIS Control 14 (industry framework):

• Establish and maintain a security awareness program with training at hire and at least annually, plus more frequent topical updates

ISO/IEC 27035 (incident management standard):

• All employees must be trained on incident recognition and reporting

So compliance requires annual training. It does not prohibit, and actually recommends, more frequent reinforcement. The compliance requirement is the floor, not the ceiling.

The Next Level: What Companies Should Do Beyond Training

Awareness training is necessary but insufficient. These systemic changes amplify training impact:

Reduce Cognitive Load and Time Pressure

Employees are more likely to click phishing when distracted, under deadline, overwhelmed with alerts, or performing cognitive-heavy tasks.

What to do:

• Improve email workflows
• Reduce unnecessary alerts
• Build in “security moments”—regular breaks to check settings
• Automate routine tasks so security decisions get adequate attention

Make Secure Behavior the Easy Default

Friction in security increases errors. Ease increases compliance:

• Default MFA enabled
• Auto-flag external senders in email clients
• One-click phishing reporting buttons in email
• Pre-filled password managers
• VPN auto-connect for remote workers

Each removes friction from secure behavior.

Improve Incident Reporting

Even perfect training fails if employees don’t report:

• Make it effortless: One-click buttons, not multi-step processes
• Provide feedback: Tell employees what happened to their report
• Shield from punishment: No one is fired for reporting—only for not reporting repeated obvious phishing
• Gamify reporting: Leaderboards, recognition, rewards

Integrate Training into Incident Response

When a breach occurs, immediately:

• Identify the attack vector
• Conduct focused training on that attack within 24–48 hours
• Share lessons across the organization
• Update simulations to reflect the actual attack

The Connection: The Bridge from September

My September post made the case that the gap between training and operations is a design flaw, not inevitable. The data supports this emphatically.

The UC San Diego study, knowledge decay research, point-of-error training evidence—all point to the same conclusion: the problem is not training. The problem is deployment.

A training program that is annual, generic, measures completion instead of behavior, divorces training from operations, and treats mistakes as failures rather than learning moments will fail. Not because training is useless, but because it’s misaligned with how humans actually learn and how security actually works.

The fix is not “do more training.” The fix is “do training differently”—continuously, contextually, behaviorally, with immediate feedback, embedded in daily operations, combined with technical controls and cultural support.

Conclusion: Is It Worth It?

The question is not whether awareness training works. The evidence is overwhelming: it does—when done right.

The question is: Is your organization doing it right?

If your program is:

• Annual compliance checkbox ✗
• One-size-fits-all content ✗
• Measured by completion rates ✗
• Divorced from operations ✗
• Unsupported by technology or culture ✗

Then no, it’s not worth it. You’re spending money on security theater while your actual risk remains high.

If your program is:

• Continuous and frequent ✓
• Personalized by role and risk ✓
• Measured by behavior change ✓
• Embedded in daily workflows ✓
• Supported by technical controls and leadership ✓

Then yes, it’s absolutely worth it. You’re looking at 69–562% ROI, measurable incident reduction, and genuine security improvement.

The gap between security training and real-world security is not inevitable. It’s a choice. Organizations choosing to close that gap are seeing transformative results.

The research is clear. The path is clear. The only question is: Will your organization take it?

Research Sources