Once a year, your employees click through a 45-minute online module about cybersecurity. They answer some multiple choice questions, get a certificate, and immediately forget everything.

Then they click on a phishing link anyway.

Sound familiar?

I’m going to say something that might upset the security awareness industry: most of what passes for “training” is compliance theatre that doesn’t actually change behaviour.

Why Traditional Training Fails

It’s too infrequent. Annual training dumps information once a year and expects retention. That’s not how human memory works. By month three, people have forgotten 80% of what they learned.

It’s not relevant. Generic modules about password security and social engineering don’t connect to people’s actual jobs. A warehouse worker and an accountant face different threats, but they get the same training.

It’s punishment, not education. Training is often positioned as something people have to sit through to stay compliant. That framing guarantees minimal engagement.

It tests knowledge, not behaviour. Passing a quiz proves you can recognise the right answer when it’s multiple choice. It doesn’t prove you’ll spot a phishing email in your inbox on a busy Tuesday.

It ignores psychology. People click on phishing links not because they’re stupid, but because of urgency, authority, and cognitive load. Training that doesn’t address these factors won’t change behaviour.

The Evidence

Studies consistently show that traditional security awareness training has minimal impact on actual security incidents. Click rates on phishing simulations might drop temporarily after training, but they tend to return to baseline within months.

I’ve seen companies with expensive, comprehensive training programs still get compromised through basic phishing. The training was technically excellent. People just didn’t apply it when it mattered.

What Actually Works

Frequent, short interventions. Five minutes every week beats 45 minutes once a year. Quick reminders, relevant tips, and short reinforcement exercises maintain awareness without overwhelming people.

Contextual training. The best training happens at the moment of risk. When someone clicks a simulated phishing link, that’s when they’re most receptive to learning what they missed. Training tied to actual behaviour is far more effective than abstract lessons.

Realistic simulations. Phishing simulations should look like real attacks targeting your organisation, not obviously fake “Nigerian prince” scenarios. Use your company’s branding, reference real internal projects, impersonate actual vendors.

Positive reinforcement. Celebrate people who report suspicious emails rather than punishing those who click. You want to build a culture where reporting is normal and encouraged.

Role-specific content. Finance teams need specific training about BEC and invoice fraud. HR needs to understand how they’re targeted for employee data. IT staff need different content than sales. One-size-fits-all doesn’t fit anyone well.

Executive buy-in. If leadership treats security training as a box-ticking exercise, employees will too. When executives visibly take security seriously and participate in training, culture shifts.

Integration into onboarding. New employees are prime targets - they don’t know what’s normal yet and are eager to please. Security awareness should be part of onboarding, not an afterthought months later.

The Uncomfortable Truth

Here’s the thing nobody wants to admit: you can’t train your way to security.

Even with perfect training, people will make mistakes. They’ll be tired, distracted, or deceived by a particularly clever attack. Building security entirely on human vigilance is building on a foundation of sand.

Training should be part of a layered defence, not the primary control. You also need:

• Technical controls that prevent attacks from reaching users
• Systems that limit damage when someone does make a mistake
• Detection capabilities that catch compromises quickly
• Response plans that work even when prevention fails

Training is one layer. It’s not the only layer.

What I’d Actually Recommend

If I were building a security awareness program from scratch:

Monthly touchpoints. A 5-minute video or interactive exercise each month, focused on current threats and relevant to the business.

Weekly phishing simulations. Yes, weekly. Low-volume but consistent. Immediate feedback when someone clicks. Positive recognition for reporting.

Quarterly deep-dives. 30-minute sessions on specific topics, different each quarter. Make them engaging - bring in examples from real incidents, discuss near-misses from your own organisation.

Clear escalation paths. Everyone should know exactly how to report something suspicious and what happens when they do. Make reporting so easy that people do it reflexively.

Metrics that matter. Track reporting rates, not just click rates. Track time to report. Track detection of simulated insider threats. Measure behaviour change, not quiz scores.

No shame. Ever. Public shaming of people who click on simulations creates fear and reduces reporting. It’s counterproductive.

The Culture Piece

Ultimately, security awareness is about culture, not training.

In a good security culture:

• People feel responsible for security, not just IT
• Reporting suspicious activity is celebrated
• Asking questions about security is normal
• Mistakes are learning opportunities, not career-ending events
• Leadership demonstrates security practices

Training can support culture. It can’t create it by itself.

The Vendor Question

The security awareness training market is flooded with vendors offering increasingly sophisticated platforms. Some are excellent. Many are mediocre dressed up with good marketing.

Before buying anything, ask:

• Does this integrate with our email to enable real-time simulations?
• Can we customise content to our business and industry?
• What does the data actually show about effectiveness?
• Is it engaging, or will employees hate it?
• Can we test before committing?

The most expensive platform won’t help if people click “next” without reading.

My Honest Take

I’m not anti-training. People need to understand the threats they face and their role in defending against them. That’s education, and it matters.

What I’m against is the illusion that an annual compliance checkbox protects your organisation. It doesn’t. It generates certificates and satisfies auditors while doing little to actually reduce risk.

If your training program isn’t changing behaviour - actual behaviour, measured over time - it’s not working. Don’t kid yourself that it is.

Real security awareness requires sustained effort, leadership commitment, cultural change, and integration with technical controls. It’s harder than buying a training platform. But it’s the only approach that actually works.