Security Awareness 2025: Why Training Alone Won’t Solve Cyber Risks

Q: How often should phishing simulations be conducted?

Monthly is the recommended cadence for active simulations. More important than frequency is variety: different campaign types, sender scenarios, and audience segments. Predictable simulations get recognized and lose their learning impact.

Q: Is it legal to subject employees to simulated phishing tests without prior notice?

In Germany: Yes, with caveats. The works council must be informed and involved (co-determination obligation under §87 BetrVG). A works agreement on Security Awareness is strongly advised. Individual results must not be used for HR decisions.

Q: What are the best tools for Security Awareness?

KnowBe4 leads the market (largest content library, strong gamification). Proofpoint Security Awareness Training excels in email integration. Hoxhunt focuses on gamified, behavior-based learning. Mimecast offers robust integration with email gateways.

Q: How do you build a security culture?

Leadership must model the behavior: CISOs and C-level executives actively participate in training and communicate security as a core value. Reporting incidents is rewarded - not punished. Mistakes are treated as learning opportunities. Security is embedded into onboarding, performance reviews, and internal communications.

Q: How do you measure the ROI of Security Awareness?

Direct measurement is challenging - but possible: fewer successful phishing attacks (tracked via incident counts), shorter time-to-report, fewer helpdesk tickets related to accidentally opened attachments, and insurance cost comparisons before and after program rollout.

1 min Reading Time

Security Awareness Training is a billion-dollar market – and yet, phishing click rates remain consistently high. According to Proofpoint, 10-15% of employees click on links in well-crafted phishing simulations. Annual mandatory training that is forgotten after three months has not changed this. What actually helps is more complex and interesting.

TL;DR

Annual training: little effect: The forgetting curve makes one-time training ineffective after 6 weeks.
Phishing simulations + micro-learning: Immediate, context-specific feedback upon a click error is 10 times more effective.
Security culture beats compliance: Companies where incident reports are rewarded have better security KPIs.
Behavior-based design: Nudging, adding friction to risky actions, and positive reinforcement work.
Measurement is mandatory: Click rates, reporting rates, and time-to-report are the relevant KPIs – not “completed training”.

Why Traditional Training Doesn’t Work

Behavioral psychology is clear: knowledge alone does not change behavior. Ebbinghaus’ forgetting curve shows that 70% of what is learned is forgotten after 24 hours, and 90% after a week. A 2-hour training session in January has little impact on behavior during a phishing attack in October.

Additionally: Traditional training lacks context. “Don’t click on links in emails” sounds simple, but in the workday, almost all links are legitimate. Employees cannot assess risks in the moment of stress, such as when they are in meetings and need to quickly respond to an email.

What Works: Behavior-Based Approaches

Just-in-time training: When an employee clicks on a link in a phishing simulation, a short (2-3 minute) learning unit immediately appears, explaining what gave away that it was phishing. The context is fresh, and the emotion (slight embarrassment) reinforces learning. Providers: KnowBe4, Proofpoint Security Awareness, Hoxhunt.

Nudging and friction: Technical measures that help with correct behavior: banners in emails from external senders, warning dialog for attachments from unknown senders, auto-forward block for external addresses. This structurally reduces the likelihood of errors.

Positive reinforcement: Companies that actively reward employees for reporting suspicious emails (gamification, public recognition, small bonuses) see significantly higher reporting rates. Higher reporting rates mean faster incident detection.

KPIs for an Effective Awareness Program

Most awareness programs measure “completed training” – this is not a security KPI, it’s a compliance KPI. Effective programs measure:

Phishing click rate: Trend over time is more important than the absolute value. Goal: continuous reduction, not 0% (unrealistic).

Reporting rate: What percentage of employees report suspicious emails? An increasing reporting rate is a better security indicator than a decreasing click rate alone.

Time-to-report: How quickly are incidents reported? Shorter time means faster incident response.

Repeat offenders: Who clicks repeatedly? Targeted additional measures for this group are more efficient than further mass training.

Key Facts at a Glance

Phishing click rate without training: ~25-30% in simulations (Proofpoint 2025)

Phishing click rate after just-in-time training: Reduction to 5-10% possible

Forgotten after 1 week: ~90% of what is learned in training (Ebbinghaus curve)

Security Awareness market size: Over 5 billion USD worldwide (2025)

Most frequent target: HR, Finance, and new employees (< 6 months) disproportionately affected

Fact: According to the IBM Cost of a Data Breach Report 2025, 95% of security breaches are caused or enabled by human error.

Fact: Companies with regular Security Awareness programs reduce phishing email click rates by an average of 75% within 12 months, per the SANS Institute.

Frequently Asked Questions

How often should phishing simulations be conducted?

Monthly is the recommended cadence for active simulations. More important than frequency is variety: different campaign types, sender scenarios, and audience segments. Predictable simulations get recognized and lose their learning impact.

Is it legal to subject employees to simulated phishing tests without prior notice?

In Germany: Yes, with caveats. The works council must be informed and involved (co-determination obligation under §87 BetrVG). A works agreement on Security Awareness is strongly advised. Individual results must not be used for HR decisions.

What are the best tools for Security Awareness?

KnowBe4 leads the market (largest content library, strong gamification). Proofpoint Security Awareness Training excels in email integration. Hoxhunt focuses on gamified, behavior-based learning. Mimecast offers robust integration with email gateways.

How do you build a security culture?

Leadership must model the behavior: CISOs and C-level executives actively participate in training and communicate security as a core value. Reporting incidents is rewarded – not punished. Mistakes are treated as learning opportunities. Security is embedded into onboarding, performance reviews, and internal communications.

How do you measure the ROI of Security Awareness?

Direct measurement is challenging – but possible: fewer successful phishing attacks (tracked via incident counts), shorter time-to-report, fewer helpdesk tickets related to accidentally opened attachments, and insurance cost comparisons before and after program rollout.