Why Security Awareness Training Is Failing

Billions are spent annually on security awareness training. Yet phishing success rates remain high, and human error remains the leading cause of breaches. Something isn't working.

The Uncomfortable Truth

By the Numbers

• 90%+ of breaches involve human error
• 30% average phishing click rate (many organizations)
• 70% of employees can't identify phishing emails
• $5B+ spent on awareness training annually

Despite massive investment, the numbers aren't improving significantly.

What Employees Actually Experience

The Annual Ritual:

1. Email arrives: "Complete your security training by Friday"
2. Open training platform
3. Click through slides
4. Pass multiple-choice quiz
5. Return to normal work
6. Forget everything within days

The Result:

• Checkbox completed
• Behavior unchanged
• Risk unchanged
• Money wasted

Why Current Training Fails

Problem 1: Wrong Mental Model

The Assumption: "People make bad security decisions because they lack knowledge. Give them information, and they'll behave securely."

The Reality: People make bad decisions because of:

• Time pressure
• Cognitive overload
• Poor system design
• Competing priorities
• Lack of perceived relevance

Information alone doesn't change behavior.

Problem 2: Wrong Format

Typical Training:

• Annual or semi-annual
• Video-based
• Generic content
• Passive consumption
• Test at the end

Problems:

• Forgetting curve destroys retention
• No transfer to real situations
• Boring = disengaged
• One-size-fits-all misses everyone
• Testing knowledge ≠ changing behavior

Problem 3: Wrong Metrics

What Organizations Measure:

• Training completion rate
• Quiz scores
• Compliance status

What Actually Matters:

• Behavior change
• Incident reduction
• Reporting rates
• Response time

Completion ≠ Comprehension ≠ Behavior Change

Problem 4: Wrong Blame Model

The Implicit Message: "Security breaches happen because employees are careless. Training will fix them."

The Reality: Most "careless" behavior is rational given:

• Poor tools that make security hard
• Processes that conflict with security
• Leadership that prioritizes speed over security
• Systems designed for convenience, not security

Blaming users is easier than fixing systems.

Problem 5: Wrong Timing

Training Model: Learn now, apply later (maybe).

Better Model: Learn when relevant, apply immediately.

Just-in-time education beats just-in-case training.

What Actually Changes Behavior

Principle 1: Make Security Easy

System Design:

• Password managers that work seamlessly
• MFA that doesn't frustrate
• Secure defaults that require effort to change
• Tools that integrate with workflow

Example: Instead of training users to verify sender addresses:

• Deploy email authentication (DMARC)
• Add [EXTERNAL] labels automatically
• Enable sender verification indicators

Reduce reliance on human detection.

Principle 2: Practice, Don't Present

Instead of Videos:

• Interactive simulations
• Role-playing exercises
• Realistic phishing tests with immediate feedback
• Hands-on scenarios

The Research:

• Active learning: 75% retention
• Passive learning: 10% retention

Make them do it, not watch it.

Principle 3: Immediate, Relevant Feedback

Traditional Approach: Fail phishing test → Eventually added to quarterly training metrics

Better Approach: Click phishing link → Immediate education about what you missed

Feedback Loop: Behavior → Immediate consequence → Learning → Adjusted behavior

Principle 4: Positive Reinforcement

Traditional Culture:

• "Don't click bad links"
• Punishment for mistakes
• Shaming for failures
• Security as obstacle

Better Culture:

• "Report suspicious emails"
• Recognition for good behavior
• Learning from mistakes
• Security as enabler

People avoid negative experiences, including security training.

Principle 5: Continuous, Not Annual

The Forgetting Curve:

• 1 hour later: 50% forgotten
• 1 day later: 70% forgotten
• 1 week later: 90% forgotten

The Solution:

• Micro-learning (5-minute modules)
• Regular reinforcement
• Spaced repetition
• Ongoing phishing simulations

Little and often beats big and rare.

Redesigning Awareness Programs

Phase 1: Measure Differently

Stop Measuring:

• Completion percentages
• Quiz scores
• Training hours

Start Measuring:

• Phishing click rates over time
• Reporting rates (should increase)
• Time to report suspicious activity
• Incident frequency and severity

Phase 2: Train Differently

Monthly Micro-Learning:

• 5-10 minute modules
• Focused on one topic
• Interactive elements
• Immediately applicable

Continuous Phishing Simulation:

• Regular, realistic tests
• Immediate feedback when clicked
• Progressive difficulty
• No punishment, only learning

Role-Specific Training:

• Executives: BEC and wire fraud
• Finance: Payment security
• HR: Personal data protection
• Everyone: Email security basics

Phase 3: Design Systems Differently

Reduce Human Dependence:

• Email authentication
• Link protection
• Attachment sandboxing
• Automated alerting

Make Secure Behavior Easy:

• One-click reporting
• Password manager deployment
• Seamless MFA
• Clear escalation paths

Phase 4: Lead Differently

Leadership Behaviors:

• Visibly follow security practices
• Celebrate security wins
• Treat incidents as learning
• Resource security appropriately

Culture Signals:

• Security discussed in team meetings
• Security part of performance expectations
• Investment in security tools
• Time allocated for security tasks

A Better Training Model

The 70-20-10 Rule

10% Formal Training:

• Compliance requirements
• New threat awareness
• Policy updates

20% Social Learning:

• Peer discussions
• Security champions
• Team exercises
• Sharing experiences

70% On-the-Job:

• Real phishing simulations
• Immediate feedback
• Practical application
• Just-in-time guidance

Monthly Program Example

Week 1:

• 5-minute micro-learning module
• Topic: Current threat focus

Week 2:

• Phishing simulation (subset of users)
• Immediate feedback to clickers

Week 3:

• Team discussion: What we've seen
• Security champion check-in

Week 4:

• Metric review
• Recognition for good behavior
• Prepare next month's focus

Quick Wins to Implement Now

This Week

1. Enable one-click phishing reporting (Outlook button, Gmail add-on)
2. Recognize someone for reporting suspicious email
3. Send brief tip (not a training—just a tip)

This Month

1. Run one phishing simulation with immediate feedback
2. Measure reporting rate, not just click rate
3. Simplify one security process that frustrates users

This Quarter

1. Implement micro-learning (replace annual training)
2. Train security champions in each department
3. Establish security discussion in team meetings

Measuring Success

Leading Indicators

• Phishing report volume (should increase)
• Time to report (should decrease)
• Questions asked (engagement indicator)
• Champion activity level

Lagging Indicators

• Phishing click rate (should decrease over time)
• Security incident volume
• Incident severity
• Recovery time

The Goal

Not: 100% quiz scores

Instead: A culture where:

• People report suspicious activity
• Security is everyone's concern
• Mistakes are learning opportunities
• Good behavior is recognized

Conclusion

Security awareness training isn't useless—but the way most organizations do it is.

Stop: Buying videos, measuring completion, blaming users

Start: Designing secure systems, practicing behaviors, building culture

The problem isn't that employees don't know about phishing. It's that knowing doesn't translate to doing.

Fix the doing, not the knowing.

---

Ready to rebuild your security awareness program? Contact us: m1k3@msquarellc.net