Security Awareness Training Doesn't Work. Here's What Does.
Picture your organization's security awareness training. If you have one, it probably involves a Learning Management System, a video featuring a cartoon character explaining why you shouldn't click suspicious links, a quiz at the end with questions like "Is it a good idea to give your password to strangers?" and a completion certificate that gets filed somewhere to satisfy a compliance requirement.
Employees click through it in seventeen minutes while on a call about something else. They score 90 percent on the quiz because the wrong answers are obviously wrong. The compliance checkbox gets checked. And approximately nothing about their security behavior changes.
I know this because I test it. Phishing simulations run six to eight weeks after a training rollout routinely show click rates that are statistically indistinguishable from before the training. The knowledge transferred. The behavior did not.
Why Awareness and Behavior Are Different Things
Security awareness training is designed to transfer knowledge. It is not designed to change behavior under stress, time pressure, or distraction, which is exactly the condition under which every real attack unfolds.
You can know that phishing emails exist, know the warning signs, and still click a well-crafted one when you're tired, context-switched between three tasks, and the email arrives in a format that matches something legitimate you received last week. Knowledge is not the same as judgment, and judgment is what you actually need when the stakes are real.
There is a decades-old body of behavioral research on this. Knowing that something is risky and reliably choosing the safe option in a pressured real-world situation require different cognitive processes. Training programs that focus exclusively on knowledge transfer are optimized for the wrong outcome.
What Phishing Simulations Get Wrong
Used well, simulated phishing is one of the most effective tools in the security culture toolkit. Used badly, it becomes a game where employees try to spot the fake emails and security teams celebrate declining click rates on tests that stopped looking anything like real attacks three months in.
The common mistakes: sending obvious simulations that employees quickly learn to recognize as tests, publishing click rate metrics without any educational follow-up, and using click events as a weapon rather than a teaching moment. Organizations that shame or punish employees who click on simulations train people to not report anything suspicious, ever, because they are afraid of consequences. The opposite of what you want.
Good simulation programs use realistic, timely lures. They follow every click with immediate and specific feedback: here is what you missed, here is why it worked, here is what to do next time. They measure reporting rates alongside click rates, because an employee who clicks and then immediately reports it has done something valuable. And they run continuously rather than quarterly, because habits form through repetition, not annual events.
The Uncomfortable Ask
What actually changes behavior is culture, and culture is not a training module. It is the set of norms that governs what people do when nobody is watching and there is no obvious right answer.
A security culture where employees feel comfortable saying "I think I just clicked something bad" produces better outcomes than one where the same event is a career concern. A culture where security is visibly prioritized by leadership, where security teams are accessible rather than adversarial, and where doing the secure thing is the path of least resistance produces better outcomes than one where security is the department that shows up to slow things down.
Building that culture requires security teams to stop treating users as the problem to be managed and start treating them as the last line of defense that needs to be equipped, not blamed. It requires making the secure path easier than the insecure one wherever possible. It requires leadership to visibly model the behaviors they want to see, because middle management does what executives normalize.
None of that fits in a seventeen-minute compliance module. All of it is more effective than one.
The annual training checkbox satisfies your auditor. Building an actual security culture is what satisfies an attacker less. Do both, but know which one is doing the real work.