Why Security Awareness Training Fails – and What Works Instead

1 min Reading Time

Companies spend billions on security awareness training. Yet, phishing click rates do not sustainably decrease. The problem isn’t a lack of training but the model: Annual mandatory videos don’t change behavior. What works are continuous, context-based micro-interventions and technical safeguards that catch human errors.

TL;DR

Phishing click rates after training: 4.6 percent – without training: 5.3 percent (Proofpoint)
Annual mandatory training has no measurable long-term effect (USENIX 2023)
Context-based warnings in email clients reduce clicks by 50 percent
Technical controls (DMARC, MFA, URL sandboxing) prevent more than training does

The Compliance Charade: Why Annual Training Doesn’t Work

Most security awareness programs exist to meet compliance requirements – not to change behavior. Watch a 30-minute video once a year, pass a quiz, check a box. Studies show: The effect wears off after 4-6 weeks. Knowledge retention is minimal, and behavioral change is even less.

USENIX research (2023) shows: The difference in phishing click rates between companies with and without awareness training is less than one percentage point. The investment does not match the results.

What Works Instead: Nudging Over Training

Behavioral science shows: People change their behavior not through knowledge but through context-based interventions at the moment of decision. A warning “This email is from a new sender” directly in the email client is more effective than any training video.

Microsoft implemented this approach with Safety Tips and External Sender Tags. Google displays warning banners for suspicious links. These in-context nudges reduce the click rate on phishing links by 40-50 percent – many times the effect of training.

Phishing Simulations: Helpful or Harmful?

Phishing simulations are the most popular tool – and the most controversial. Pro: They measure the actual click rate and identify high-risk users. Con: They create mistrust, fear, and resentment, especially when “failures” are exposed or punished.

The compromise: Use simulations as a measurement tool (not a punishment tool), provide positive feedback for correct reporting, and use the results to improve technical controls – not to shame employees.

Defense in Depth: Technical Controls as a Safety Net

The most effective “awareness measure” is technical: DMARC on Enforce (prevents domain spoofing), MFA (makes stolen passwords useless), URL sandboxing (neutralizes malicious links), and Conditional Access (blocks logins from unusual contexts).

These measures catch human errors before they cause damage. The human remains the last line of defense – not the only one. Those who rely solely on human vigilance have already lost.

Key Facts

Training Effect: Less than 1 percentage point difference in phishing click rates (Proofpoint 2024)

Nudging Effect: 40-50 percent reduction through context-based email warnings

DMARC Adoption: Only 33 percent of German companies on Enforce (eco 2024)

Frequently Asked Questions

Should I completely abolish security awareness training?

No, but rethink it: Move away from annual mandatory videos to short, context-based micro-training sessions (5 minutes, monthly), use phishing simulations as a measurement tool, and rely on technical controls as the primary defense.

Which technical measures have the greatest impact?

In this order: DMARC on Enforce (domain protection), MFA for all services (credential protection), URL sandboxing in the email gateway (link protection), external sender tagging in the email client (context information).

Are we still NIS2-compliant without traditional training?

NIS2 requires “sensitization measures” – this doesn’t have to be a traditional training program. Verifiable micro-interventions, phishing simulations, and documented technical safeguards meet the requirement. The key is verifiability.

About the author: Tobias Massow

Read article

Phishing