The annual security awareness training video plays in the background while employees fill out timesheets. The monthly phishing simulation generates a click-through rate that hovers between 4 and 8 percent regardless of what training is delivered. The compliance dashboard reports completion rates above 95 percent. And then, with discouraging regularity, an employee clicks a real phishing email, enters their credentials on a fake login page, and the incident response team is paged at 2 a.m. for a breach that all of the awareness investment was supposed to prevent.
The disconnect between security awareness program activity and actual employee behavior is one of the most-recognized but least-addressed problems in the field. Organizations spend significant budget and time on awareness, the metrics they collect look acceptable, and the underlying behaviors barely change. The problem is not that awareness training is impossible — it is that most programs are designed to satisfy compliance requirements rather than to change behavior, and behavior change is genuinely hard work that requires a different approach.
Why Compliance-Driven Awareness Falls Short
The compliance approach to awareness has a clear logic: regulations and frameworks require security awareness training, so deliver training that satisfies the requirement. The trouble is that satisfying the requirement and actually improving security are different goals, and the optimization paths diverge quickly.
Annual training sessions, by their nature, cannot produce sustained behavior change. The behavior science literature on training and skill acquisition is consistent: skills that are practiced once a year decay rapidly. By the time the next annual training comes around, employees have forgotten most of what was covered the previous year, and the security behaviors they need to apply daily have not been reinforced. Training that does not produce retention is training that does not change behavior, regardless of completion percentages.
Generic content compounds the problem. A training module that addresses phishing in the abstract, with stock-photo screenshots that bear no resemblance to the actual emails employees receive, fails to build the pattern recognition that actually matters. Employees develop a vague sense that “phishing is bad” without learning to recognize the specific patterns that show up in their own inbox. When a real phishing email arrives, the abstract knowledge does not activate.
Phishing simulations have similar issues when run as a compliance exercise. The simulations test whether employees click on emails the security team sent, but those simulations often look notably different from the phishing employees actually face. Sophisticated real attacks use targeted lures based on current events, leverage compromised accounts of trusted senders, and arrive in formats that resemble normal business communication. A simulation program that exclusively uses generic “your password expires today” templates does not prepare employees for the attacks that succeed.
The Behavior Science Foundation
Effective awareness programs are grounded in behavior science. The Fogg Behavior Model — that behavior happens at the intersection of motivation, ability, and a prompt — provides a useful framework. Most awareness programs focus heavily on motivation (telling employees that security matters) while neglecting ability (teaching specific recognition skills) and prompts (creating moments where the right behavior is cued). Programs that work address all three.
Building ability requires deliberate practice on patterns that actually matter. Employees need to recognize the specific characteristics of phishing emails they will encounter — the subtle domain spoofs, the urgency-and-authority pressure patterns, the credential capture and payment redirect lures that fit their job context. That recognition is built through repeated exposure to real-looking examples with immediate feedback, not through annual training videos.
Prompts in the workflow are an underused tool. A small visual indicator in the email client showing whether a sender is internal or external, a one-click report-phishing button that delivers immediate positive reinforcement when used appropriately, a brief security checkpoint when an employee is about to enter credentials in a new browser context — these are workflow-embedded prompts that activate the right behavior at the moment it matters. They are also far more effective than detached training in shaping how employees actually handle their inbox each day.
Motivation matters too, but the motivation that drives behavior is rarely “fear of organizational consequences from a breach.” More effective motivators include autonomy (employees who report potential threats see what happened with their report), competence (employees who improve their phishing recognition see their own performance metrics), and connection (peer recognition for security-positive behaviors, not just punishment for failures).
Designing Phishing Simulations That Actually Build Skill
Phishing simulations are one of the few security awareness tools that have a chance of producing measurable skill development, but realizing that potential requires designing them as a learning program rather than a compliance test.
Simulations should be calibrated to current real-world attack patterns. The threat intelligence team should be feeding actual lure patterns observed against your industry and organization into the simulation program. When a campaign of MFA-prompt fatigue lures is hitting financial services, employees in financial services should see simulations of those exact lures within weeks. When invoice fraud lures with compromised supplier accounts become common, simulations should reflect that pattern. The simulations should follow the threat landscape, not stay frozen in patterns from three years ago.
Difficulty should escalate over time as employees develop skill. New employees might start with relatively recognizable simulations and progress to more sophisticated ones as their detection ability improves. Long-tenured employees who have demonstrated consistent recognition of standard patterns should face the harder targeted lures that represent the actual frontier of attack technique. A program that uses the same difficulty for everyone year after year produces the same flat performance year after year.
The response to a clicked simulation matters more than most programs realize. Punitive responses — public shaming, mandatory remedial training delivered as punishment, write-ups in personnel files — produce predictable outcomes: employees become afraid to report suspicious emails because they assume that admitting confusion will be held against them, and reporting rates drop. Better responses pair brief, focused, immediate education at the moment of the failure with positive reinforcement for the behaviors you want to encourage, including reporting.
Measuring What Matters
Click rates on phishing simulations are one signal, but they are an incomplete and frequently misleading one. Better metrics tell a richer story about program effectiveness.
Reporting rate — the percentage of phishing simulations that employees actively report through your reporting mechanism — is often a better indicator of program health than click rate. A workforce that reports 40 percent of simulated phishing is more security-active than one that simply does not click on 92 percent. Reporting indicates that employees are engaging with the security process, applying their detection skills, and producing intelligence that the security team can act on for real threats.
Time to first report on a simulation campaign is another useful metric. Fast reporting means the security team learns about a real campaign quickly when it inevitably happens. Reporting clusters in the first few minutes after a simulation launches indicate a healthy security culture; campaigns that run for hours before any reports come in indicate that employees are not engaging with the security reporting process even when they recognize the threat.
Behavior outside of simulations is the highest-value but hardest-to-measure signal. How employees handle ambiguous situations, whether they consult the security team when they see something unusual, how they respond when a colleague forwards them a suspicious email — these behaviors are what awareness programs are ultimately trying to shape. Targeted surveys, focus groups, and behavioral observations during incident investigations can produce useful data about whether the program is changing how employees actually operate.
Our post on measuring security awareness training success goes deeper into the metrics framework and the operational tools needed to collect them. The shift from completion-rate metrics to behavior-and-skill metrics is one of the highest-value changes a maturing awareness program can make.
Specialization and Role-Based Content
Generic awareness content is appropriate for foundational topics, but mature programs layer role-specific training on top of the foundation. The threats and decisions a finance team faces are different from those facing a software development team, an executive assistant team, or an industrial operations team, and treating them all to the same content underserves all of them.
High-risk roles deserve focused programs. Finance teams need deep training on business email compromise, invoice fraud, and wire transfer verification procedures. Executive assistants and other high-access support roles need training on impersonation attacks, authority pressure tactics, and the specific lure patterns targeting executive support functions. Software developers need training on the specific patterns of supply chain attacks, malicious package campaigns, and developer-targeted social engineering. Each of these specialized programs requires more effort to build than generic training, but the protection produced is qualitatively different.
Senior leaders should not be exempted from the program because of their schedules. Senior leaders are among the most-targeted populations, and their successful compromise has outsized consequences. Brief, well-designed, executive-level content respects their time while addressing the threats they specifically face — and visible executive participation reinforces the program’s credibility for the broader workforce.
Building a Mature Program Over Time
Maturing a security awareness program is a multi-year journey. Year one typically focuses on establishing the foundation: a baseline measurement of current behavior, deployment of phishing simulation tooling, foundational training content, and the operational mechanics of running the program. Year two layers on role-specific content, more sophisticated simulation patterns, and the early metrics infrastructure to measure behavior change rather than just compliance. Year three and beyond is where the integration with broader security operations becomes possible — feeding real threat intelligence into the simulation program, connecting awareness performance to detection coverage, and building the closed-loop system where attacks observed against your organization shape the awareness content within weeks.
The investment is significant, and the return is not always immediately visible — behavior change is incremental and shows up in incidents that did not happen rather than in dashboards that lit up. But the alternative, an awareness program that satisfies compliance while doing nothing to change the behaviors that produce incidents, is a poor use of the security budget and a recurring source of preventable breaches. Mature awareness programs treat employees as the partners they need to be in defending the organization, and they invest accordingly.
