You already know that humans are variable.
Insurance is one of the few industries where quantifying the probability of human error is a core business skill. Actuarial models. Underwriting criteria. Claims data. The entire sector is built on understanding how and why people make bad decisions under pressure.
That same logic applies to your own workforce's security behaviour. The research is unambiguous: awareness isn't the bottleneck. 96% of employees who took a risky action knew it was risky when they did it. Giving them more information doesn't fix that. Giving them the experience of pressure does.
Insurers we work with recognise this immediately, because it maps directly to how they think about risk everywhere else. The training format is the gap, and closing it is more straightforward than you might think.
96%
of employees who took the risky action knew it was risky when they did it. The training landed. The behaviour didn't follow.
Proofpoint (2024).
8%
of employees account for 80% of security incidents. Annual training reaches everyone identically. It isn't built to find or fix the highest-risk 8%.
Verizon DBIR (2025). 22,052 incidents analysed.
1.7%
measurable difference between trained and untrained groups using mandatory annual training in a rigorous 2025 RCT of 19,500 people.
Ho et al. (2025). UC San Diego / University of Chicago.
£4m
Average cost of a data breach in UK financial services in 2024. Insurance sits in one of the highest-value, highest scrutiny regulatory environments. A single preventable incident carries consequences well beyond the remediation bill.
IBM Cost of a Data Breach Report (2024)
60%
of confirmed data breaches involve a human element: errors, social engineering, misuse, or credential theft. The technology stack is increasingly robust. The human layer isn't keeping pace because of the training it's being given.
Verizon DBIR (2025)
86%
Reduction in phishing susceptibility over 12 months with sustained, simulation-based training. The gap between annual compliance theatre and formats that actually work is not marginal. It's generational.
KnowBe4 Global Phishing Benchmark. 14.5M users.
You can't change behaviour by telling people what to do.
The brain doesn't learn through information. It learns through experience. Not because that's a nice philosophical position, but because of how memory actually works. Events that carry emotional weight, uncertainty, and consequence get filed for long-term storage. Flat, consequence-free training modules get discarded. The brain is ruthlessly efficient about what it keeps.
Immersive scenarios are specifically designed to trigger the neurological conditions for durable learning. Pressure. Uncertainty. Real decisions. Visible stakes. The kind of situation where an employee recognises a pattern six months later because they've been in something that felt like it before.
56%
Better knowledge retention with active learning va passive instruction. Same content. Same people. The only variable was the format.
This isn't about making training more fun. It's about designing for how human memory actually works. The fun is just a bonus. The insurers we work with don't just want engaged employees. They want employees who pause, recognise a pattern, and choose differently when it counts.
What happens when insurance
teams actually experience it.
Everyone enjoyed doing the escape rooms and we had so much positive feedback. It also brought to life how good security hygiene, password management, not oversharing on social media, is so important, and made everyone think about good security practices and how they can put this into action daily.
Huge thanks to The Cyber Escape Room Co for an outstanding experience. Over 100 Admiral colleagues participated, and the feedback was fantastic. It was a fun, engaging, and educational event. We appreciate the effort and creativity behind it. Here's to more team building and skill development.
Your employees know the policy. They ignore it anyway.
The finding from Proofpoint's 2025 State of the Phish is that awareness isn't the bottleneck. The employees who clicked the link, handed over the credentials, plugged in the USB: most of them knew better. They were tired. Or rushed. Or just a little too trusting in a moment that felt routine.
The behavioural gap only closes by giving people experience of those exact moments before they count, by creating the pressure, the ambiguity, and the consequence in a controlled environment where the mistake becomes part of the learning.
The US Army reached this conclusion in March 2026 and cut mandatory annual training from yearly to once every five years, citing no measurable improvement in outcomes. If that doesn't make you question what you're currently spending your awareness budget on, not much will.
Not a training programme.
A rehearsal for the real thing.
Put your team inside the incident.
Scenario-based physical experiences deployed at your site or ours. Groups of 5 work through carefully constructed scenarios under genuine time pressure, creating the conditions of real cyber incidents: social engineering, credential theft, password security, insider threat. The environment is designed to replicate the pressure and ambiguity of the real thing. The debrief is where the behaviour change consolidates.
Scale it across every site, every team.
The same scenario logic and behavioural challenge as ESC, delivered digitally for dispersed workforces. Particularly relevant for insurance operations with regional offices, remote underwriters, and large claims handling teams. No logistics. No dilution of impact.
The attack vector your sector is most exposed to.
Claims handlers. Underwriters. Broker relationship managers. Insurance roles involve taking calls from unknown external parties as a matter of routine, which makes them a primary target for voice-based social engineering. CTRL+Vish puts your people on the phone with an AI-powered visher. They make the call. They navigate the conversation. They practice recognising and resisting manipulation in real time, before it counts.
Ready to see what your team does under pressure?
Get in touch and we'll map the right experience to your workforce, risk profile, and your current awareness programme, and show you exactly where the gaps are.