Why Bad Awareness Training Fails — and How to Fix It

Written By David Shipley

Most phishing programs fail because they’re poorly run. Here’s how to make them work.

This summer, headlines shouted that “security awareness training doesn’t work.” 

Most of those stories were based on a single study of one healthcare organization by the University of California San Diego.  

But here’s the irony: that study doesn’t prove training is useless. 
 
It actually confirms that bad awareness training, delivered poorly, doesn’t work

As the report puts it: 

“Cybersecurity training programs as implemented today by most large companies do little to reduce the risk that employees will fall for phishing scams.” 

The issue isn’t training people or doing phishing simulations — it’s how security awareness training is designed, delivered, and reinforced.  

Let’s look at what the research really found, what a larger dataset shows, and how to make awareness training work the way it should. 

What the Research Really Says 

The UCSD researchers found two key flaws in most corporate programs: 

  1. Annual training doesn’t meaningfully reduce phishing risk. 

  2. Employees don’t engage with content delivered through post-click landing pages. 

These findings aren’t surprising — and they align with what we’ve observed in the real world since we launched Beauceron in 2017, built from research started at the University of New Brunswick. 

What Our Data Shows 

We shared anonymized phishing and training data from more than 500 organizations and 250,000 people with Michael Joyce, an independent researcher and executive director of the Human Centric Cybersecurity Partnership at the Université de Montréal. To our knowledge, it’s the largest dataset on phishing simulations and training ever analyzed independently.  
 
He found that the probability of clicking a phishing email changes from the moment after training, to 360 days later: 

  • Immediately after training: 3.5%  

  • 30 days later: 5.7% 

  • 90 days later: 15%+ 

  • 360 days later: 95% 

A year after training, the odds of clicking on a phishing email increase significantly. The impact of training fades over time. That’s why “annual training” simply doesn’t work when it comes to phishing. That doesn’t mean annual security awareness training doesn’t provide other value. However, it has limitations on how much it can reduce the risk posed by phishing.  

You can watch Joyce’s 30-minute talk on cybersecurity and awareness insights from our data at the NorthSec conference on YouTube.

The Post-Click Learning Delivery Problem 

The UCSD study also found that most people don’t meaningfully engage with post-click website-delivered learning pages: 

  • 75% spent 30 seconds or less on the page 

  • Only 24% finished the educational material 

Our own data from the last year is even starker: the average time spent on a post-click page was just 11 seconds. 

Simply put, it’s not a good way to do post-click follow-up training. That doesn’t mean there are not other, better ways. 

Take Beauceron’s Reel-Time Remediation training, for example. It’s a short, focused course delivered through our learning management system, not as a post-click landing page. It achieves a 70% completion rate and a median engagement time of five minutes. 

The results are measurable: 

Participants who complete it click 40% less than those who don’t. 

The results show this: Good content, delivered properly, makes a real difference. Or simply put: security awareness done well works well. 

Four Ways to Make Awareness Training Work 

Instead of focusing on why poorly designed programs fail, let’s talk about how to make them succeed. Here are four evidence-based strategies that actually reduce phishing risk. 

1. Right Messages, Right Frequency 

Joyce’s research gives organizations a way to calibrate their training frequency based on real-world data and risk appetite. 
 
We recommend quarterly education paired with monthly, randomized phishing simulations that adapt in difficulty over time. 

But balance is key. You can over-train. 
 
During Cybersecurity Awareness Month, for example, higher activity temporarily reduced click rates — but it also led to security fatigue and fewer phishing reports. 

2. Reward and Redemption, Not Scolding and Punishment 

Traditional phishing programs have two end states: 
You either “lose” by clicking or get nothing for avoiding it. 

Consider this better model, shaped through how Beauceron engages people with a personal cyber risk score: 

  • If you click, you can get points back on your personal score by completing remedial training and reporting the phish. 

  • If you don’t click and you report, you earn positive points on your personal score. 

  • The only way you lose out is if you make a mistake and don’t take the time to learn from it. 

3. Ditch Fear-Based Consequences 

We’ve published research showing that harsh punishment models backfire and come with their own risks for organizations. 
 
When people fear getting in trouble, they’re less likely to report mistakes — which means a single click can turn into a serious incident before your security team even knows it’s happening.  People who are afraid of consequences are half as likely to tell someone they clicked on a phish. That’s bad news for everyone.

If someone clicks, but then reports, make sure you give them credit for their honesty.  

Positive reinforcement builds a culture of honesty and quick response; fear builds silence. 

4. Reinforce Security Everywhere — Even on the Walls 

Some folks roll their eyes at the value of awareness posters. But they’ve been proven to work. 

A few years ago, a CISO told us that once everyone started working from home, phishing incidents skyrocketed. They felt that without posters around the office, employees lost the daily subconscious reminders that kept them alert. 

Sometimes the simplest cues — a message on a wall, a quick conversation, a visual reminder — have powerful effects. 

That’s why Beauceron’s latest cybersecurity awareness posters available to our clients in our platform draw on behavioral psychology research to subtly reinforce cyber-safe habits — not just around phishing, but across other digital risks as well.  

The Bottom Line 

Awareness training isn’t broken — it’s just been done badly at too many places for too long. 
 
The solution isn’t to give up on people; it’s to understand how they learn and what actually works. 

At Beauceron, we’ve spent years proving that when training is human-centered, reinforced regularly, and positively motivated, it delivers real, measurable results. 

Let’s stop dismissing the value of awareness and instead focus on making it work better. 

David Shipley
Next

New Research Shows Why Employees Click On Phishing Emails