Your training isn't working. The numbers say so.
Not a hunch. Not an opinion. A randomised controlled study of 19,500 employees found annual cyber security training had no measurable impact on phishing susceptibility. The data is in. Here's what it says.
The Behaviour Cycle White Paper ⋅ Research Series
1.7%
The average difference in phishing susceptibility between employees who had completed annual cyber security training and those who hadn't. Not a typo. After all the modules, all the completions, all the certificates... 1.7%. That is not a training programme. That is an audit trail with a compliance budget attached.
Ho et al. (2025). UC San Diego / University of Chicago. Randomised controlled study, n=19,500 employees.
60%
of confirmed data breaches involve the human element - errors, social engineering, credential misuse. Not sophisticated attacks. Not zero-days. People, doing what their environment trained them to do. Of those, 8% of employees account for 80% of all incidents. Annual training doesn't reach the 8% any differently than it reaches everyone else.
Verizon Data Breach Investigations Report (2025). 22,052 incidents analysed.
86%
Reduction in phishing susceptibility over 12 months with continuous immersive training. The baseline click rate starts at 33.1%. After twelve months of sustained engagement, it drops to 4.1%. The same research found a 40% reduction within just the first 90 days. Annual training does not produce numbers like these. The data is explicit on these points.
KnowBe4 Phishing Benchmarking Report (2025). 14.5M users, 62,400 organisations.
The most rigorous study ever done on annual training found it doesn't work.
Ho and colleagues at UC San Diego and the University of Chicago ran ten phishing campaigns across 19,500 employees and measured what happened. Some had completed mandatory annual cybersecurity training. Some hadn't. The researchers looked for a difference.
They found 1.7%. The trained group was 1.7 percentage points less likely to click a phishing link than the untrained group. Within the margin of statistical noise. Functionally zero.
The study was presented at IEEE Security and Privacy and at Black Hat. It is not a fringe finding from a hostile source. It is as rigorous as this kind of research gets. And it says, clearly, that the format most organisations rely on for their primary security awareness programme produces no measurable change in the behaviour it is supposed to change.
In March 2026 the US Army reached the same conclusion independently. They reduced mandatory cybersecurity training from annual to once every five years, citing their own analysis that found no relational improvement in outcomes between annual training and less frequent alternatives.
Four findings the industry would rather not talk about
Completion rates measure attendance, not learning
61% of employees fail a basic security knowledge test after completing their mandatory training. Not before... after. The module ran. The certificate was issued. The dashboard turned green. And more than half the people who went through it can't answer seven basic questions about what it covered. Completion and learning are not the same metric.
8% of your people are causing 80% of the incidents
Verizon's 2025 DBIR identified a concentration of risk that annual training is structurally unable to address. When the same module goes to everyone at the same time, it reaches high-risk individuals with exactly the same force as low-risk ones. Targeted, continuous, experiential training can identify and work harder on the people who need it most. Annual compliance modules cannot.
Phishing works because it's designed to bypass training
Social engineering exploits emotion, urgency, and trust - the same mechanisms that make humans effective communicators and collaborators. It does not wait for people to be alert and prepared. It engineers the opposite: pressure, distraction, and just enough plausibility to tip the balance. A module can teach someone what a phishing email looks like. Only rehearsal builds the instinct to pause when one arrives.
Continuous training produces completely different outcomes
KnowBe4's dataset of 14.5 million users is unambiguous: 40% reduction in phishing susceptibility within 90 days of continuous simulation-based training. 86% over twelve months. A 2025 study of 1,300 employees across 20 organisations found that 70% of people who failed a simulated phishing test did not fail again when they received immediate, contextual feedback at the point of failure. The method matters more than the message.
The gap isn't between organisations that train and those that don't. It's between formats.
The security awareness training market is not failing because organisations aren't investing. Most are. It is failing because the dominant format - a passive, annual, completion-tracked module - does not produce durable behaviour change under pressure. The research now says this directly.
What produces different outcomes is training that makes people practice. That creates emotional signal. That embeds learning in something that feels real enough to be remembered. That reaches the highest-risk individuals with more intensity than the lowest-risk ones. That happens more than once a year.
40%
Reduction in phishing susceptibility within the first 90 days of continuous simulation-based training. Before the year is out, it reaches 86%.
This is why a well-designed escape room, a live incident simulation, or a vishing call that catches someone off guard can shift behaviour in a way that twelve annual modules cannot. The brain encodes what it felt. One high-quality experience - one moment where the stakes felt real, where the team had to think fast and got it wrong - does more for instinct than a year's worth of clicks.
The goal isn't to train people constantly. It's to train them in a way that actually lands. To build the kind of memory that surfaces when someone gets an email that feels slightly off at 4pm on a Friday. That's not about volume. It's about design.
That is what the research describes. And it is exactly what we build.
- Ho, G. et al. (2025). Understanding the efficacy of phishing training in practice. Presented at IEEE Security & Privacy and Black Hat. UC San Diego / University of Chicago. n=19,500 employees.
- Verizon (2025). Data Breach Investigations Report. 22,052 incidents analysed.
- KnowBe4 (2025). Phishing by Industry Benchmarking Report. 14.5 million users, 62,400 organisations, 67.7 million simulated phishing tests.
- Epignosis (2023). Cybersecurity training survey. n=1,200 US employees.
- Proofpoint (2024). State of the Phish Report. 7,500 adults across 15 countries.
- Dubniczky, A. et al. (2025). Point-of-failure phishing training study. 1,300 employees across 20 organisations. Reported in Help Net Security, November 2025.
- Carnegie Mellon CyLab. Research on point-of-error security training and policy recall.
- DefenseScoop (2026). US Army reduces mandatory cybersecurity training to once every five years. March 2026.
- Hornetsecurity (2024). Annual Cyber Security Report.
Your people deserve better than a module.
If any of this research has landed, let's talk about what a different approach looks like for your organisation.