Every month or so I like to step back from the day-to-day news cycle and look at what the research tells us about cybersecurity. This time I had two great guests: Michael Joyce from the Human-Centric Cybersecurity Partnership at the University of Montreal, and my long-time colleague David Shipley from Beauceron Security. Both of them have been digging into the data on phishing training and, as it turns out, some of the results aren’t what you’d expect.
We’ve all been told the standard line: run regular phishing simulations, train often, and people will become your strongest defence. The research shows that’s partly true, but the story is more complicated. Awareness campaigns do help — people who’ve gone through them are less likely to click on phishing attempts. But here’s the twist: the same campaigns also led to a drop in reporting. In other words, fewer clicks, but fewer people speaking up too. That’s a double-edged sword.
Another clear finding is about timing. Training has a decay rate. Right after a session, people are alert and cautious. But as weeks and months go by, those lessons fade. By the 12-month mark the effect is, for all intents and purposes, gone. Annual training might meet a compliance requirement, but it doesn’t change behaviour in a lasting way.
So what does work? The data suggests a layered approach. Monthly phishing simulations keep people sharp — they reinforce awareness without taking too much time. But running full training modules that often has little added value. Instead, the sweet spot seems to be around every 90 days. Quarterly training hits the balance: frequent enough to refresh skills, not so frequent that it becomes background noise.
And we also debated some of the recent reports that claim — wrongly, in our view — that phishing training has little or no value. Those headlines are great for stirring up clicks, but they don’t stand up to scrutiny. We took a deeper dive into one of those papers and gave it a hard look. The data, when read carefully, still shows clear benefits. Training works — the trick is to understand the limits, avoid over-saturation, and find the right cadence.
For me, the lesson is that it’s not just about training more or training less — it’s about cadence. Like most things in security, it’s about finding the right rhythm. Too infrequent, and people forget. Too frequent, and it all becomes noise. Get the timing right, and you can move beyond the old “weakest link” narrative and start turning people into active defenders.
Editor’s note:
We debated about providing a link to this research because we thought that it would be irresponsible to potentially encourage others to fall into its click bait headline and because there are severe flaws in this “research.” but ultimately we decided to provide it with a warning.
Article: Anti-Phishing Training Doesn’t Work
