2.9%
Median phishing click rate after mature simulated phishing program versus 32.4% baseline (KnowBe4 2025)
5 min
Maximum effective length for a single security awareness module: anything longer has diminishing retention
12x
More likely to click a phishing link in the year following a one-time annual training versus continuous quarterly simulations
60-80%
Reduction in simulated phishing click rates achievable within 12 months with a well-structured program

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Security awareness training is the most universally implemented and least universally effective security control in existence. Nearly every organization runs annual compliance training; almost none can demonstrate that it changes employee behavior.

The problem is the format: a 45-minute video watched once a year, often completed on autopilot to get the checkbox, has no measurable impact on whether an employee clicks a phishing link six months later. The evidence from behavioral psychology is clear: behavior change requires repeated exposure, immediate feedback, and personal relevance.

Component 1: Simulated Phishing: Measure Before You Train

Before launching any training, establish a baseline phishing click rate with a simulated phishing campaign. This gives you a starting metric to measure improvement against and identifies your highest-risk employee groups.

Baseline phishing campaign design:

  • Use a phishing simulation platform (KnowBe4, Proofpoint Security Awareness, Microsoft Attack Simulator: the last is free with Microsoft 365 E5/Business Premium)
  • Start with a moderate-difficulty template: not the most obvious spam, not the most sophisticated spear-phish. Something representative of what real attackers send: a fake IT notification, a payroll update, a document sharing request
  • Send to 100% of employees without advance warning
  • Track: open rate, click rate, credential submission rate, and reporting rate (users who report the email as suspicious)

Interpreting baseline results:

  • Click rate above 30%: high risk: prioritize phishing training immediately
  • Click rate 15-30%: moderate risk: standard training cadence
  • Click rate below 15%: good baseline: focus on maintaining and improving reporting rate

Ongoing simulation cadence: Run simulated phishing quarterly at minimum. The frequency matters more than the quality of individual simulations: employees who are phished monthly stay alert in a way that employees phished annually do not. Vary the template type each quarter: invoice fraud, IT alerts, HR notifications, executive impersonation.

Component 2: Immediate Contextual Feedback (the Most Important Element)

The moment of highest receptivity to security learning is immediately after an employee clicks a simulated phishing link. They are surprised, slightly embarrassed, and genuinely curious about what they missed. This is the only time security training delivers genuine behavior change.

What happens when someone clicks a simulated phishing link:

Most phishing simulation platforms offer a landing page that appears immediately when the link is clicked: before the employee realizes it was a test. This landing page should:

  1. Explain that this was a security test (not a real attack)
  2. Show the specific indicators in the email that should have flagged it as phishing (sender domain mismatch, urgency language, hover-over URL mismatch)
  3. Provide a 2-3 minute microlearning module specifically about the type of phishing used in this simulation
  4. Give a clear action: 'Next time you see an email like this, use the Report Phishing button'

What NOT to do:

  • Do not shame or punish employees who click: this creates a culture where people hide security incidents rather than report them
  • Do not send a long email explaining what they did wrong: nobody reads it
  • Do not report individual click results to managers without a clear HR-approved policy: this is the fastest way to destroy trust in the security team

The reporting rate is more important than the click rate: An organization where 5% of employees click phishing links but 40% report suspicious emails has a healthier security culture than one where 2% click and 0% report. The reporting rate means the security team gets threat intelligence about what real phishing is targeting employees: and someone who reports usually does not fall for it.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Component 3: Monthly Microlearning (Not Annual Marathon)

Replace the annual 45-minute training video with 12 monthly 3-5 minute microlearning modules. Monthly modules maintain recency: employees remember content from three weeks ago, not from eleven months ago.

Monthly module calendar template:

MonthTopic
JanuaryPhishing recognition: spotting the indicators
FebruaryPassword hygiene and password manager use
MarchBusiness email compromise: CEO/CFO fraud
AprilSafe remote work practices
MaySocial engineering: phone and vishing attacks
JuneData handling and sensitive information
JulyMobile device security
AugustCloud security: what goes in shared storage
SeptemberRecognizing account compromise
OctoberPhysical security (Security Awareness Month: tie to annual phishing campaign)
NovemberSupply chain and third-party risk
DecemberHoliday scams and seasonal phishing patterns

Module format requirements:

  • Maximum 5 minutes: enforce this; longer modules will be skipped or completed on autopilot
  • Include one specific, actionable takeaway per module (not five general principles)
  • End with a 2-3 question quiz: this forces active recall, which drives retention
  • Use real examples from current threat intelligence, not generic diagrams from 2018

Platforms that support this format: KnowBe4 ModStore, Proofpoint Security Awareness, Elevate Security, Ninjio, and Microsoft Viva Learning (for Microsoft 365 environments). Most platforms allow customization of module content: update templates to reference current events (a recent major breach, a new phishing technique) to increase relevance.

Component 4: Role-Specific Training for High-Risk Groups

Generic training assumes all employees face the same threats. They do not. Three groups face disproportionate targeting and require specialized content:

Finance and accounting staff: Business email compromise (BEC): fake wire transfer requests, vendor payment fraud, invoice manipulation: costs organizations more money per incident than ransomware. Finance staff are specifically targeted with executive impersonation and vendor fraud.

Specific training content:

  • How to verify wire transfer requests that arrive via email (phone callback to known number)
  • Red flags in invoice emails (new banking details, urgent requests, executive pressure)
  • What to do when a 'vendor' or 'executive' pushes back on verification steps
  • The dual-approval process for transfers above a threshold (if not already in place)

HR staff: HR holds the most sensitive employee data in the organization: salary, performance reviews, personal information, banking details for payroll. Attackers target HR with W-2 phishing, benefits redirect fraud, and credential harvesting disguised as HR system notifications.

IT and developers: Technical staff are targeted with supply chain attacks, fake security alerts, and credential theft via GitHub or CI/CD notifications. They often have more access than average employees and are assumed to be security-savvy: but technical knowledge does not prevent social engineering.

Measurement for role-specific training: Run separate phishing simulations for each high-risk group, using templates that match their specific threat (finance: vendor invoice; HR: benefits portal login). Compare click rates within the group before and after specialized training to measure impact.

Metrics That Prove the Program Is Working

Track four metrics monthly and report them quarterly to demonstrate program effectiveness:

1. Phishing click rate trend: The percentage of simulated phishing emails that result in a click. Should trend downward over 12 months. A mature program achieves below 5%.

2. Phishing report rate: The percentage of simulated phishing emails that are reported via the 'Report Phishing' button. Should trend upward. A mature program achieves 20-30% reporting of simulated phishing.

3. Training completion rate: Percentage of employees completing monthly modules within the required timeframe. Target: 95%+ completion within 2 weeks of assignment. Low completion rates indicate content relevance or platform usability problems.

4. Real incident rate: This is the ultimate metric: are real phishing incidents decreasing? Track: number of phishing emails successfully delivered and clicked (based on SOC/helpdesk reports), number of successful BEC attempts, and number of account compromises attributed to phishing. This requires correlation with your incident response data.

Reporting to leadership: Present the click rate trend graph alongside the phishing incident trend: if the program is working, both should trend downward together. A decreasing click rate with no change in real phishing incidents suggests your simulation templates are not representative of real-world threats.

The bottom line

Effective security awareness training requires four components: baseline and quarterly simulated phishing to measure click rates, immediate contextual feedback at the moment of a simulated phishing click (the highest-receptivity moment), monthly 3-5 minute microlearning modules on current threats (not an annual marathon), and role-specific training for finance, HR, and IT staff who face targeted attacks. Measure phishing click rate trend, report rate, and training completion rate monthly. The goal is below 5% click rate and above 20% report rate within 12 months.

Frequently asked questions

What makes security awareness training effective?

Effective security awareness training combines simulated phishing with immediate contextual feedback at the moment of a click (the highest-receptivity moment), monthly 3-5 minute microlearning modules that maintain recency (not annual marathons), and role-specific training for high-risk groups like finance and HR. The critical metric is phishing click rate trend: not training completion rates.

How often should simulated phishing campaigns be run?

At minimum quarterly: monthly is better. Employees who receive simulated phishing monthly maintain alertness that employees phished annually do not. Vary the template type each campaign: executive impersonation, IT alert, HR notification, vendor invoice. A diverse template set prevents employees from pattern-matching on simulation characteristics rather than learning to identify real phishing indicators.

What metrics should I track to measure security awareness training effectiveness?

Track four metrics over time: Phishing Click Rate (% of employees who click simulated phishing links per campaign — target below 5%); Phishing Report Rate (% of employees who report a phishing simulation using your report button — measures active engagement, not just avoidance); Credential Submission Rate (% of clickers who also entered credentials — the highest-risk behavior); and Training Completion Rate (% of employees who complete assigned training within the SLA). Compare click rate before training vs after for new hires: it demonstrates the program's impact. Track by department and manager to identify groups that need additional focus.

How do I make security awareness training mandatory without alienating employees?

Mandatory training works when it is short, relevant, and clearly connected to real threats. Keep modules to 5-10 minutes with scenario-based questions rather than compliance-style checkbox slides. Use real examples from your industry: employees engage when they recognize the threat. Explain the 'why' for each control — employees who understand why phishing is dangerous are more likely to report it than those who complete training to avoid a manager conversation. Automate assignment so training appears immediately after onboarding and annually thereafter without manual tracking. Avoid scheduling training during high-pressure periods (quarter-end, product launches) or pairing it with unrelated policy announcements.

What is the best security awareness training vendor?

The leading enterprise security awareness platforms are KnowBe4 (largest library, integrates with most HRIS and MDMs), Proofpoint Security Awareness Training (strong phishing simulation tied to Proofpoint's email threat intel), SANS Security Awareness (content built by security practitioners, strong on technical accuracy), and Cofense (focused specifically on phishing resilience with real-time threat templates). For small businesses, Microsoft Defender for Office 365's Attack Simulation Training (included in M365 Business Premium and E5) covers phishing simulation and basic training modules without an additional vendor. Evaluate on content quality, phishing template library diversity, reporting depth, and LMS integration fit.

How do you build a phishing reporting culture so employees flag real threats instead of ignoring them?

A high phishing report rate is one of the most operationally valuable outcomes of a mature security awareness program: each employee report is threat intelligence about what real attackers are sending your organization. Building a reporting culture requires three things: a frictionless reporting mechanism, a positive feedback loop, and explicit messaging that reporting is always the right action. On the mechanism: deploy a one-click Report Phishing button integrated into your email client (Outlook, Gmail). The fewer steps between seeing a suspicious email and reporting it, the higher your report rate. Requiring employees to forward the email to a security@company.com alias with a description creates enough friction that most employees do not bother. On the feedback loop: when an employee reports a phishing simulation or a real phishing email, send them an automated acknowledgment within minutes and a follow-up outcome notification. For simulations: 'You correctly identified a security test.' For real threats: 'Thank you for reporting this. Our security team is investigating.' For confirmed threats: 'You helped us stop a real attack. We have blocked this campaign.' Public recognition (in team meetings, company newsletters, or security channels) of employees who catch real phishing attempts builds social proof that reporting is valued. On messaging: train explicitly that reporting a suspicious email is always correct even if the email turns out to be legitimate. The cost of one unnecessary report is seconds of analyst time; the cost of one missed real phishing email can be a full account compromise. Never imply that false-positive reports are a burden.

Sources & references

  1. SANS Security Awareness Report 2025
  2. Proofpoint: State of the Phish 2025
  3. NIST SP 800-50: Building an Information Technology Security Awareness and Training Program

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.