It’s long acknowledged that outdated security awareness training needs an overhaul, and new research shows that no improvement can be seen in employee cybersecurity – with employees more likely to click on unsafe links after receiving static training.
A team of researchers from the University of Chicago, the University of California San Diego, and the University of California San Diego Health, studied the effects of phishing training on over nineteen thousand employees at UCSD Health, and presented their research at Black Hat USA 2025 in Las Vegas.
The research made clear that security awareness programs haven't kept up with today's threat landscape. After completing training activities and being made aware that their employer had invested in cyber protections, employees reported feeling safer online, and their likelihood of clicking on phishing emails actually increased.
Human error remains the leading cause of data breaches, with our Mimecast research showing that that 95% of data breaches involve user mistakes. While those numbers remain consistently high, it’s clear that conventional training methods fail to instil lasting behavioural change.
In the Universities’ research, the group of participants who completed interactive rather than static training were measured to be 19% less likely to click on phishing links. However, static training had no proven benefit, and only 24% of participants completed the courses required of them. Over 50% of the static training sessions were ended within 10 seconds of beginning.
If we want security awareness to truly protect organisations, we need to rethink everything: from how we structure training, to the metrics we track, to what “success” actually looks like. By focusing on adaptive learning, personal accountability and measurable outcomes, we can evolve security awareness from a compliance checkbox into a core defence mechanism.
Moving on from ‘one size fits all’
Security awareness training too often relies on outdated tactics, such as phishing simulations and annual refresher training. The problem isn't just outdated content, it's the use of a one-size-fits-all structure. Most organisations deliver the same training to every employee, regardless of job role, risk exposure or history of security missteps. Expecting uniform outcomes from workers with vastly different responsibilities is unrealistic and ineffective.
The metrics used to assess these programs are often meaningless. Completion rates and engagement scores track participation, not progress. It’s time to prioritise behaviour and results, not just check-the-box compliance.
Annual training models need to be replaced with adaptive real-time training. Cyberthreats evolve rapidly, and training must evolve with them, meeting employees at the point of risk. Just-in-time learning is essential. If an employee clicks on a risky link, a prompt that explains the mistake and offers safer alternatives helps cement the lesson when it matters most.
Tailoring individualised training
Threat-responsive updates are just as vital. Security programs should shift with threat levels, deploying phishing alerts during surges or ransomware simulations when relevant. Even simple interventions, like monthly nudges, help keep good habits top of mind.
Training must also be tailored, because not all employees face the same risks. Senior leaders are often targeted by spear-phishing and developers may encounter credential-harvesting threats - yet most training programs are intended for employees at every level. A more tailored approach improves both relevance and retention. This involves categorising employees by their risk level, based on their role, access level and past behaviour. Using real data from previous instances will help deliver targeted feedback and additional training to those who have fallen for phishing attempts before.
Employers should also create risk profiles to show employees how likely they are to fall for phishing attempts compared to their peers, promoting self-awareness amongst colleagues. Customisation is essential for better results, and, crucially, shows employees that the training they are receiving is relevant to their role.
One of the biggest shifts that companies need to make is the transition from vanity metrics like completion rates to data points that reflect behavioural change and reduced risk outcomes. These data points should include reduced successful phishing attacks over time, improved password hygiene, tangible economic benefits, and decreased risky activities, such as installing unapproved apps or mishandling sensitive data. Behaviour-based metrics drive continuous improvements by showing what’s working and what needs improvement.
Changing the culture of security
Companies must also build a culture of accountability by bringing employees into the process as active defenders rather than punishing them into compliance. Give them visibility into their own progress, by using, for example simple dashboards or comparative banners (e.g., “You’re in the top 10% for secure behaviour!”) to drive motivation and clarity.
Recognition matters too. Celebrate employees who report phishing attempts or avoid traps. Positive reinforcement builds morale and reinforces the right habits. When employees feel invested and informed, participation turns into ownership.
Security awareness is just one part of a broader human risk strategy, but it’s a high-impact opportunity hiding in plain sight. The research is clear: outdated training methods not only fail to create change but may even drive progress in the other direction. By shifting toward adaptive, personalised and outcome-based training, organisations can finally address the human vulnerabilities that attackers exploit most. When done right, security awareness doesn't just inform and educate - it protects.