I’m going to say something that might sound counterintuitive coming from someone who’s spent decades in cybersecurity: most employee security training is a waste of time.
Not because training doesn’t matter. It absolutely does. The human element is involved in roughly 60% of all data breaches, according to Verizon’s 2025 Data Breach Investigations Report. Phishing is still the entry point for a huge portion of attacks. Business email compromise alone generated $6.3 billion in losses. People are, without question, the most targeted layer of any organization’s defenses.
The problem isn’t whether you should train your employees. The problem is that the way most companies do it doesn’t actually change behavior.
I’ve walked into companies after a breach and asked about their training program. The answer is almost always the same: “We do an annual compliance module. Everyone clicks through the slides and passes the quiz.” Then I ask the employee who clicked the phishing link that started the whole mess. They remember taking the training. They just don’t remember anything it taught them.
So let’s talk about what the research actually shows works, what doesn’t, and how to build a training program that makes a real difference.
Why Most Training Programs Fail
The traditional approach to cybersecurity awareness goes something like this: once a year, employees sit through a slideshow or watch a video. They learn about password hygiene, phishing red flags, and how to report suspicious emails. They take a quiz. They pass. They go back to work and forget 70% of what they learned within 24 hours.
That last number isn’t an exaggeration. It’s based on the Ebbinghaus Forgetting Curve, a well-established principle in learning science that shows people lose most new information within a day unless it’s reinforced. Annual training modules are fundamentally designed to fail by the very nature of how human memory works.
The data backs this up. Research shows that while 84% of security awareness programs aim to change employee behavior, fewer than half, only 43%, regularly monitor whether those behavioral changes actually happen. Organizations are measuring completion rates, not outcomes. They’re checking the box without checking whether the box made anyone safer.
Employee feedback tells the same story. Surveys indicate that roughly 21% of employees rate their company’s training as barely effective or completely ineffective, and another 30% find it only slightly engaging. When nearly half your workforce is telling you the training isn’t working, that’s not a people problem. It’s a program design problem.
The most common complaints are predictable: the content is boring, it’s generic, it doesn’t relate to what employees actually do in their jobs, and it treats everyone the same regardless of their role, their access level, or their actual risk profile.
What the Data Says About What Works
The good news is that training can be highly effective when it’s designed around how people actually learn and how attacks actually happen. Here’s what the evidence supports:
Frequency beats intensity.
Organizations that deliver training continuously, in short, regular intervals, see dramatically better outcomes than those relying on annual sessions. Research from KnowBe4 found that 90 days of consistent training can reduce phishing susceptibility by over 40%. Ongoing programs that deliver security awareness training more than three times per year have been linked to a 72% reduction in employee-driven cyber incidents. The principle is simple: regular exposure reinforces habits. One-time events create temporary awareness that fades quickly.
Phishing simulations change behavior.
Simulated phishing exercises, where employees receive realistic but harmless phishing emails and get immediate feedback when they click, are one of the most effective tools available. Employees who’ve been through phishing awareness training are 30% less likely to click on actual phishing links. More importantly, Verizon’s data shows that user reporting of phishing attempts increased fourfold after simulation-based training programs were implemented. That’s the real measure of success: not just whether people stop clicking, but whether they start reporting.
The key is immediate, constructive feedback. When someone clicks a simulated phishing email, they should see a brief explanation right then and there: here’s what you missed, here’s what to look for next time. That just-in-time learning moment is far more memorable than anything taught in a classroom six months earlier.
Focus on the high-risk employees.
One of the most actionable findings from the 2025 Verizon DBIR is that just 8% of employees account for 80% of security incidents. That’s an enormous concentration of risk in a very small group. Instead of treating every employee exactly the same, effective programs identify the individuals and roles that present the highest risk, whether because of their access privileges, their exposure to social engineering, or their track record in simulations, and deliver targeted, intensified training to that group.
New hires deserve special attention here. Research shows that employees in their first 90 days are 71% more likely to click on phishing links, and 45% more likely to fall for CEO impersonation emails, compared to experienced staff. Onboarding is a critical window for building security habits before bad ones take root.
Make it relevant to the role.
A finance team member facing invoice fraud attempts needs very different training than a developer handling API keys or an executive being targeted by spear-phishing campaigns. Generic content that covers everything at a surface level ends up being relevant to no one at a practical level. The most effective programs tailor scenarios and examples to what employees actually encounter in their daily work. When people can see the direct connection between the training and the threats they face in their specific role, engagement goes up and behavior change sticks.
Interactive formats outperform passive ones.
Studies consistently show that interactive training formats, including simulations, gamified exercises, and scenario-based learning, retain information 2.3 times better than traditional slide presentations. Gamification alone increases engagement by 60%. This isn’t about making training “fun” for the sake of it. It’s about how the brain encodes information. Active participation creates stronger neural pathways than passive consumption. When people make decisions in a simulated scenario and experience the consequences, they’re far more likely to make the right decision when a real threat shows up in their inbox.
The AI Complication
Everything I just described is becoming more urgent because of how quickly AI is changing the threat landscape.
AI-generated phishing attacks are now grammatically flawless, culturally attuned, and hyper-personalized. Research from Hoxhunt found that as of early 2025, AI-crafted phishing attacks are 24% more effective than human-crafted ones. The old advice of “look for spelling mistakes and awkward grammar” is completely obsolete. AI has eliminated those tell-tale signs.
Meanwhile, Fortinet’s 2025 Security Awareness Report found that nearly 9 in 10 organizations say AI-driven threats have increased employee awareness of why training matters, but only about 40% of leaders believe their employees are actually prepared to identify and report AI-based threats. There’s a massive gap between awareness and readiness.
This means training programs need to evolve beyond teaching people to spot mistakes. The new imperative is building a habit of verification: pause before acting, confirm through a trusted channel, and report anything that feels off, even if you can’t pinpoint exactly why. That’s a fundamentally different skill than scanning an email for typos.
Building a Security Culture, Not Just a Training Program
Here’s the part that separates companies that check a compliance box from companies that actually reduce their risk: culture.
The most effective cybersecurity training isn’t really about training at all. It’s about building an environment where security-conscious behavior is the norm, where employees feel empowered to report suspicious activity without fear of punishment, and where leadership visibly treats cybersecurity as a shared responsibility.
That last point matters more than most companies realize. When leadership treats security training as a burden to be minimized rather than an investment to be made, employees take the cue. When the CEO skips the phishing simulation, everyone notices. When the response to an employee clicking a phishing link is shame rather than education, people stop reporting. And unreported threats are the ones that cause breaches.
The organizations I’ve seen build the strongest security cultures share a few common traits:
They make reporting easy and consequence-free. Employees should be able to flag a suspicious email with a single click. And when they report something, even if it’s a false alarm, the response should be “thank you” rather than “why are you wasting our time.” Verizon’s data shows that organizations with effective reporting cultures see phishing report rates quadruple. That’s a force multiplier that no amount of technology can replace.
Leadership participates visibly. When executives go through the same training, take the same phishing simulations, and talk openly about security, it signals that this matters. It’s not just an IT thing. It’s a business thing.
They treat mistakes as teaching moments. The goal of a phishing simulation is not to catch people doing something wrong. It’s to give them a safe space to make a mistake and learn from it before a real attacker exploits that same vulnerability. Punitive approaches drive reporting underground, which is the opposite of what you want.
They tie security to business outcomes. When employees understand that a single compromised credential can shut down operations, cost the company hundreds of thousands of dollars, and jeopardize client relationships, the training stops feeling like abstract IT policy and starts feeling like protecting something they care about.
What a Practical Program Looks Like
If you’re a small or mid-sized business and you want to build a training program that actually reduces risk, you don’t need a massive budget or a dedicated security awareness team. You need consistency, relevance, and measurement. Here’s a framework that works:
Start with a baseline.
Before you train anyone, measure where you stand. Run an initial phishing simulation across the organization. Break the results down by department and role. This gives you a click rate you can track over time and identifies where your highest risk concentrations are.
Deliver short, frequent training.
Replace the annual hour-long module with brief, focused sessions delivered monthly or quarterly. Five to ten minutes is enough to cover one topic well. Rotate through the threats that matter most: phishing, business email compromise, social engineering, password security, physical security, and safe browsing habits. Keep it practical, keep it current, and keep it relevant to people’s actual jobs.
Run regular phishing simulations.
Monthly or bi-monthly simulations using realistic scenarios based on current threat trends. Vary the difficulty. Vary the attack type. Track click rates, report rates, and response times over multiple campaigns. The trends matter more than any single result.
Provide immediate, constructive feedback.
When someone clicks a simulated phish, show them exactly what happened and what to look for next time. When someone reports a simulated phish correctly, acknowledge it. Positive reinforcement is more effective than punishment at building lasting habits.
Intensify training for high-risk groups.
New hires should get cybersecurity training during their first week. Employees with access to financial systems, customer data, or admin credentials should receive more frequent and more advanced training. Serial clickers in simulations should get additional, targeted coaching.
Measure outcomes, not completion.
The metrics that matter are phishing click rates over time, report rates, time to report, and whether security incidents linked to human error are trending down. A 100% completion rate on a training module means nothing if click rates aren’t improving.
The Insurance Angle
There’s another dimension to this that business owners should be aware of: your cybersecurity training program directly affects your insurance.
As I’ve discussed in previous articles, cyber liability insurance carriers have dramatically tightened their requirements. Security awareness training is now on the non-negotiable list for most insurers. They expect documented training programs with annual completion records and regular phishing simulations. If you can’t demonstrate that your employees are being trained, you may face higher premiums, reduced coverage, or outright denial.
And it goes further than eligibility. If you experience a breach and your insurer discovers that the training you claimed to have in place wasn’t actually happening, or wasn’t effective, they can deny the claim. In 2026, cyber insurance applications are being treated like audits. The documentation matters.
The Bottom Line
Cybersecurity training works. The evidence is clear on that. Organizations that implement ongoing, simulation-based, role-relevant training programs see measurable reductions in phishing susceptibility, faster threat reporting, and fewer human-driven incidents.
What doesn’t work is checking a box once a year and hoping for the best. What doesn’t work is treating employees like the weakest link instead of recognizing them as your first line of defense. What doesn’t work is designing training programs for auditors instead of for people.
With over 90% of cyberattacks beginning with a phishing email and AI making those attacks more convincing every month, investing in your people’s ability to recognize, resist, and report threats is one of the highest-return investments you can make in your security posture.
At Alchanis Technical Services, we’ve spent over 40 combined years helping organizations across public, private, and government sectors build cybersecurity programs that actually hold up under pressure. That includes helping our clients design and implement training programs that go beyond compliance and create real, measurable behavior change. We treat every client like family, because when your people are better prepared, your entire business is stronger.
If your current training program isn’t moving the needle, or if you’re not sure where to start, let’s talk about what a program built around your actual risks looks like.
Ready to build a training program that actually works?
Visit alchanistech.com or reach out to schedule a consultation.
