Why Phishing Training Still Misses the Mark

A new study out of UC San Diego Health has reignited debate about the value of phishing training in enterprise security—and what it says about the limits of today’s risk governance models. The research followed nearly 20,000 employees over eight months, tracking their participation in annual awareness training and their responses to ten simulated phishing campaigns.

The results were sobering:

• Annual awareness training showed no measurable impact. Employees who had just completed the training were just as likely to click on phishing links as those who hadn’t taken it in more than a year.

• Embedded phishing exercises offered only a marginal benefit. On average, trained users had just a 1–2% lower failure rate than those who received no training at all.

• Engagement with training materials was minimal. More than half of users who landed on a training page closed it within 10 seconds, and less than one-quarter formally completed the training.

• Static training could even backfire. Employees who completed multiple static modules were more likely to fail future phishing simulations.

The findings reveal a gap in security risk governance: the most widely deployed training approaches—often mandated by regulators or insurance providers—are not meaningfully reducing risk. In an era defined by AI risk governance and emerging threats, this highlights the danger of relying on static, compliance-driven solutions that fail to adapt to real-world attacker behavior.

Why traditional training fails

The reasons aren’t hard to spot. Employees are busy and distracted, and when training feels like another compliance checkbox, they rush through it. Annual awareness programs are quickly forgotten. Simulations target only the subset of people who happen to “fail” at that moment, leaving most staff untouched. And the training materials themselves—static pages of text, repetitive warnings—rarely motivate real behavior change.

The study’s findings echo a broader truth: rote training is not the same as learning. In fact, when poorly designed, it can create cynicism or fatigue that undermines the very vigilance it’s meant to build.

A governance issue, not a checkbox

At the Advanced Cyber Security Center (ACSC), we believe ineffective phishing training isn’t just a nuisance—it’s a governance failure. In the same way that AI risk governance requires organizations to move beyond compliance exercises, security awareness must be treated as part of a broader risk governance strategy. Static modules and one-off simulations will not prepare employees to face phishing, credential abuse, or the emerging threats that exploit human behavior.

We see a better path forward. Effective awareness programs are:

• Continuous, not annual. Security risk doesn’t appear once a year, and neither should awareness. Micro-messages, nudges, and regular touchpoints reinforce vigilance.

• Embedded in daily workflows. Awareness must live in the tools employees already use, becoming part of the culture rather than a disruption.

• Non-threatening. Punitive approaches erode trust. Positive reinforcement and recognition encourage people to engage.

• Engaging—even fun. Just as AI-driven campaigns capture attention, awareness efforts must be creative and memorable to shift behavior.

This is where ACSC takes a stand: compliance alone will not reduce risk. Stronger security outcomes depend on embedding awareness into the fabric of organizational culture, just as effective governance is needed to address both AI risks and persistent human-centered threats like phishing.

A model case study for stronger compliance and better results:

Training as the mandated baseline - awareness as a continuous cultural initiative.

• Bundle security into broader learning campaigns

• Include gamified modules, recognition programs, and creative “security awards”

These approaches don’t just teach; they build community and normalize good habits.

The path forward for security awareness

Phishing remains one of the most common and costly attack vectors. As the UC San Diego study shows, the status quo isn’t enough. Organizations need to move beyond static, compliance-driven training toward approaches that resonate with people and fit the way they work.

That doesn’t mean throwing out training altogether. It means recognizing its limits and rethinking how it’s delivered. Instead of one-off exercises, companies should design programs that are continuous, embedded, non-threatening, and engaging.

Employees can’t be expected to become “human firewalls” through annual modules alone. But they can become stronger defenders when awareness is cultivated as a living part of organizational culture.