Why Your Security Training Program Is Not Working (And Science Proves It)

$5.6 Billion on Something That Does Not Work

In 2024, organizations globally spent $5.6 billion on employee security training. This market is projected to grow to $15.3 billion by 2030, with a compound annual growth rate of 18.2%.

There is a fundamental problem with this investment: scientific evidence demonstrates that standard industry training is not effective at changing behavior.

We are not talking about opinions or anecdotes. We are talking about randomized controlled studies, published in academic journals, with samples of tens of thousands of employees.

The UCSD Health Study: 19,789 Employees, 8 Months

Researchers from the University of California San Diego conducted one of the most rigorous studies on cybersecurity training effectiveness.

Methodology: 19,789 employees over 8 months, using randomized control methodology.

Direct conclusion from the study: "Standard industry training is NOT effective at preventing clicks."

The group that received training showed no statistically significant difference in phishing click rates compared to the control group that received no training.

This means organizations are spending millions on programs that do not produce the result they are supposed to produce: reducing the likelihood that an employee falls for a social engineering attack.

The ETH Zurich Study: When Training Makes Results Worse

If the UCSD Health study suggests training does not help, the ETH Zurich study suggests something worse: training can actively make results worse.

Researchers from ETH Zurich (Europe's most prestigious technical university) conducted a study with 14,000 employees from a European financial institution.

Finding: Generic training worsened results by 12%.

The reason? It generated false confidence. Employees who completed training felt more secure ("I've been trained, I know what I'm doing") and consequently lowered their psychological guard.

This phenomenon has a name in cognitive psychology: the Dunning-Kruger effect applied to cybersecurity. A little knowledge generates disproportionate confidence that results in riskier behavior, not less.

The Channel Problem: 87% of Training Ignores the Most Effective Vector

IBM X-Force, IBM's threat research division, documented a critical finding: phone call attacks (vishing) are 3 times more effective than email-only attacks.

However, 87% of current industry training focuses exclusively on email.

This means most organizations are training their employees to detect the least effective vector while leaving them completely unprepared for:

• Vishing (voice phishing)
• Smishing (SMS phishing)
• Coordinated multi-channel attacks

These are the vectors that professional attackers consistently use in 2025.

Vishing attacks increased 442% in 2024 according to Deloitte, driven by voice cloning tools that require only 3 seconds of audio to generate an indistinguishable clone.

Why Timing and Context Matter More Than Content

The fundamental failure of current training is not the content. It is the timing and context.

Humans do not learn from generic videos watched weeks before facing a real attack. They learn when they make a mistake and receive immediate feedback on what they did wrong and why.

This is the critical difference:

Current model (ineffective): "I trained last year" = lost context, unmodified behavior

Effective model: "I made this error 3 minutes ago and the system showed me exactly the signals I ignored" = proven behavior change

Neuroscience is clear on this. Memory formation and behavior change require:

Immediate relevance (the error just occurred)

Specificity (this specific email, these specific signals)

Emotional consequence (the impact of "I almost fell for it")

Spaced repetition (re-evaluate weeks later)

Generic annual training meets none of these requirements.

Cases That Demonstrate the Failure of the Current Model

Snowflake (2024):

• Losses: Over $300 million
• Affected clients: Over 165 companies
• All employees had completed security training
• Attack vector: contractor credentials

MGM Resorts (2024):

• Losses: Over $100 million
• 10 days of paralyzed operations
• Trained employees
• Attack vector: a vishing call to the helpdesk

Banco do Brasil (2024):

• Losses: R$40M
• Over 2 million compromised customers
• Active training programs
• Attack vector: social engineering targeting employees

In each case, employees had received training. In each case, training did not prevent the attack.

What Does Work: The Contextual Learning Model

If generic training does not work, what does?

Evidence points to a different model with five components:

1. Continuous Testing, Not Periodic Training

Instead of an annual course, regular simulations that test real vulnerability under realistic conditions.

2. Immediate Feedback

When an employee fails a simulation, they receive training at that moment, not weeks later. Context is fresh, the error is specific, emotional impact is maximum.

3. Multi-Channel

Test email, SMS, voice. Attackers do not limit themselves to email. Preparation should not either.

4. Personalization by Risk Profile

Not all employees have the same vulnerability profile. A CFO who resists generic phishing but falls for authority pretext needs different intervention than a developer vulnerable to false technical requests.

5. Change Validation

Re-test weeks later to validate that behavior actually changed. Do not assume "completed the module" equals "changed their behavior."

The Question Every CISO Must Ask Themselves

The average CISO reports to their board: "78% of our employees completed annual training."

The question the board should ask (and the CISO should be able to answer):

"What percentage of our employees demonstrated secure behavior under a realistic simulated attack in the last 30 days?"

If the answer is "we don't know," then the organization has a critical visibility gap.

Completing a course is not evidence of secure behavior. It is evidence of having watched a video.

The Real Cost of the Current Model

The current security training model has three hidden costs:

1. Direct Cost

Platform licenses, employee time, program administration. In a 300-employee company, this can represent $15,000-30,000 USD annually.

2. False Security Cost

As the ETH Zurich study demonstrated, training can generate unjustified confidence that increases actual risk.

3. Opportunity Cost

Every dollar spent on ineffective training is a dollar not invested in solutions that do generate measurable behavior change.

What to Look for in an Effective Solution

If you are evaluating alternatives to traditional training, these are the capabilities that evidence suggests matter:

• Multi-channel simulations (email, SMS, voice)
• Training delivered at the moment of error, not scheduled
• Per-person metrics, not just per department
• Automatic re-evaluation to validate change
• Adaptive escalation based on individual resistance

The question is not whether you should invest in employee preparedness. The question is whether you will continue investing in a model that science proves does not work.