The $10 Billion Illusion of Awareness
Every year, enterprises pour billions into cybersecurity awareness and phishing simulations — posters in the hallway, inbox drills, gamified quizzes, and annual compliance refreshers.
Yet, despite this massive investment, phishing remains the world’s most common initial attack vector.
Two major peer-reviewed studies — one from IEEE Security & Privacy (Ho et al., 2025) and another from ACM CCS (Lain et al., 2024) — now suggest a troubling truth:
Most phishing training doesn’t work the way we think it does.
These studies challenge long-standing assumptions about how users learn, why they click, and what awareness programs are actually achieving. The message is clear: our training is failing — not because users don’t care, but because the systems teaching them are broken.
The Evidence: Two Landmark Studies That Changed the Conversation
🧪 Study 1: Ho et al. (2025) — Real-World Results, Real Disappointment
In one of the largest field experiments ever conducted on cybersecurity awareness, Ho et al. (2025) tracked 19,500 employees at a large healthcare organization over eight months.
Ten simulated phishing campaigns tested whether:
- Annual awareness training improved resilience.
- Embedded phishing drills (with real-time “teachable moments”) reduced click rates.
The outcome? Almost no measurable difference.
Employees who recently completed formal training were just as likely to click phishing emails as those who hadn’t. Even participants who received repeated embedded training sessions performed only marginally better — often by 1–2 percentage points.
Perhaps most striking: users who engaged more often with phishing simulations sometimes performed worse later on. The researchers suggest this could be due to “click fatigue” — an erosion of attention and motivation caused by repetitive, low-value simulations.
Their conclusion was blunt:
“Anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.”
(Ho et al., 2025, p. 52)
💡 Study 2: Lain et al. (2024) — The Psychology Behind the Click
A separate study by Lain et al. (2024) explored how employees perceive and react to embedded phishing exercises at a major Swiss corporation.
Their team found that content quality (i.e., the realism or educational tone of phishing messages) had little effect on outcomes. Instead, the “nudge” effect — the gentle reminder that training is happening — produced most of the observed benefits.
Surprisingly, offering rewards or incentives didn’t help. In some cases, it even made employees less likely to complete training sincerely. Moreover, delayed interventions — sending educational feedback a day later — performed just as well as immediate responses, suggesting attention span, not timing, drives outcomes.
The takeaway?
Phishing susceptibility is less a knowledge gap and more an attention deficit problem.
When employees are overexposed to simulated threats, they tune out the message entirely. In psychological terms, this is classic habituation — the same mechanism that makes us ignore fire drills after the fifth one.
Why “Teachable Moments” Fail in the Real World
Cyber training programs are often designed like classroom lessons: a phishing simulation triggers a “lesson,” the employee reads a blurb, clicks “acknowledge,” and returns to work.
In theory, this mimics behavioral reinforcement. In reality, it’s noise in a worker’s cognitive environment.
Ho et al. (2025) found that most users spent less than 10 seconds reading phishing feedback. Lain et al. (2024) observed widespread annoyance, skepticism, and even resentment toward repetitive phishing drills.
The problem isn’t just engagement — it’s trust. When training feels punitive or performative, it reinforces a culture of compliance, not curiosity.
Cybersecurity awareness shouldn’t be a test to pass. It should be a conversation about risk.
Nudges, Not Lectures: Rethinking Human-Centered Security
Lain et al. (2024) introduce an important insight: phishing success is not about content but context.
Effective training doesn’t need more realism or punishment; it needs behavioral design:
- Periodic, subtle reminders keep awareness active without overwhelming.
- Contextual cues — such as smart banners, AI-generated warnings, or predictive alerts — can nudge users at the right time.
- Positive reinforcement (praise, not penalties) sustains engagement.
This aligns with a growing movement toward behavioral cybersecurity — merging psychology, UX, and data analytics to design frictionless, supportive defenses that complement human cognition instead of fighting it.
Beyond Awareness: Automating the Human Layer
If phishing awareness isn’t enough, what comes next?
The answer lies in risk-adaptive systems. Instead of relying on memory and vigilance, next-generation tools leverage AI and behavioral telemetry to dynamically adjust protection.
Examples include:
- Context-aware email defenses that change warning thresholds based on user behavior.
- AI-driven micro-learning modules triggered by actual risky actions (e.g., clicking an unknown link).
- Risk observability dashboards that correlate behavioral trends with exposure metrics.
This approach turns training from a static event into a continuous feedback loop — one that measures real-world improvement, not just completion rates.
Policy and Compliance: Measuring What Matters
In finance, healthcare, and critical infrastructure, cybersecurity training is not optional — it’s a regulatory requirement.
Yet as these studies show, most compliance-oriented training offers little measurable risk reduction.
Regulators may need to shift from checking whether training exists to verifying whether behavioral risk indicators improve over time.
Frameworks like NIST AI RMF and ISO/IEC 42001 (AI Management Systems) already hint at this evolution — moving from documentation to demonstrable human-AI resilience.
Final Thought: Training is Broken (So Let’s Fix It)
Phishing training isn’t useless, but it’s incomplete.
We’ve optimized for compliance, not cognition. For checklists, not curiosity.
As the data now shows, the next frontier of cyber awareness won’t be another quiz or simulation — it will be adaptive, data-driven, and deeply human.
If cyber risk teams want to reduce clicks, they need to stop counting them and start designing for attention.
Citations
Ho, G., Mirian, A., Luo, E., Tong, K., Lee, E., Liu, L., Longhurst, C. A., Dameff, C., Savage, S., & Voelker, G. M. (2025). Understanding the efficacy of phishing training in practice. In 2025 IEEE Symposium on Security and Privacy (SP) (pp. 37–54). IEEE. https://doi.org/10.1109/SP61157.2025.00076
Lain, D., Jost, T., Matetic, S., Kostiainen, K., & Capkun, S. (2024, December). Content, nudges and incentives: A study on the effectiveness and perception of embedded phishing training. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security (pp. 4182–4196). ACM. https://doi.org/10.1145/3658644.3690348