We Trained 3 Million Employees: How Effective Is Security Awareness Training?

‍

How effective is security awareness training? That depends on what you’re trying to achieve.

If your goal with security awareness training is just compliance… then effective can mean just simply getting around to complete course with enough people passing that you can say your organization is compliant.

But that’s not really the same as reducing security risks.

Effective security awareness isn’t just about checking a box for cybersecurity policies.

It’s about building decision-making skills at critical moments - whether it’s identifying a social engineering attack or reporting a potential threat before it escalates

That’s the benchmark we should be aiming for.

The reality is: most of traditional security training programs aren't effective.

A lot of programs are long-winded, overly generic, and built around advice people already know -or have tuned out.

Telling people to use MFA for the hundredth time isn’t what creates change.

If we’re serious about effectiveness, we need to focus on behavior change... and that starts with respecting users’ time, intelligence, and context.

‍

Spotting failure: What does ineffective training look like?

It’s not that organizations aren’t checking the boxes - they are.

But real-world risk isn’t about passing audits.

It’s about whether people know what to do when things actually go wrong.

A report from Aberdeen Group found that 61% of security teams invest in training to address regulatory requirements... and 55% use it to comply with internal policies.

The problem with this approach is that you can be compliant and still completely exposed. That’s the trap many organizations fall into.

If people are just doing the training to tick a box, that’s a red flag.

Verizon’s data shows that 60% of security incidents still involve the human element....

But a Microsoft Digital Defense Report observed that awareness training by itself yielded only about a 3% reduction in phishing click rates on average unless it was reinforced by broader cultural or policy changes.

If we look at high-profile security breaches like the Colonial Pipeline attack...

Even with great policies on paper, when the rubber met the road, just one compromised password without MFA was all it took to create chaos.

They weren’t non-compliant. They had policies and tools.

But the human element was where things broke down.

The attacker got in through a single compromised VPN password with no MFA in place.

And the result was massive disruption across the U.S. fuel supply chain.

That’s how human cyber risks undermine even strong technical defenses.

Boxes were checked. But the kind of behavior change that prevents actual cybersecurity incidents? That’s what was missing.

Too often, organizations “tick a box,” delivering long-winded training that’s generic, compliance-focused, and forgettable.

If people are just doing the training to tick a box they’ll go through the motions and forget everything minutes later.

According to the 'Ebbinghaus Forgetting Curve', individuals forget approximately 50% of new information within an hour and up to 70% within 24 hours without reinforcement.

Instead, real indicators of success are subtle.

When you see users changing small behaviors - pausing to think, reporting something suspicious, even just asking the right questions - that’s where real value starts to show up.

We don't need employees to just memorizing policies...

We need them to start applying cybersecurity knowledge in their daily routines, that’s when you know your cybersecurity awareness training is making an impact.

‍

Moving from inefffective compliance to behavior change

What separates effective training from box-checking?

It’s all about relevance and respect.

People are busy and smart - so treat them like it.

Speak to people in their language, with examples that feel real, and advice they can actually use.

Respect your employees’ intelligence.

Don’t drown them in walls of text.

Give them quick, usable advice that fits their reality.

For example, in training finance teams, simply telling them to be on the lookout for phishing emails is useless.

In real life, no one’s thinking, ‘Is this email suspicious?’...

They’re thinking, ‘I’m busy, I trust this person, let’s move fast.’

So training has to work with that, not against it

Instead, acknowledging that they do their jobs well goes a long way when paired with an emphasis on their internal verification processes as the source of truth.

Training must move beyond regurgitating truisms like “don’t click suspicious links” or “make strong passwords.”

It must adapt to people’s real roles, challenges, and capacities.

If you hand employees generic, copy-paste training that talks down to them, they’ll ignore it.

People don’t need a wall of text on GDPR.

They need to know, practically, what they need to do in a given moment.

Successful security awareness programs empathize with users’ real-world challenges, like recognizing malicious links during a busy workday or balancing cybersecurity behavior with productivity in daily operations.

‍

Building a security awareness program that actually works

Traditional awareness training fails because it’s usually designed to meet compliance obligations, not for people.

It tells you what the ‘right’ answer is, but doesn’t help you understand why it matters or how to apply it​.

Hoxhunt’s approach? We focus on making training part of the flow of work - not a separate task you dread.

It’s bite-sized, ongoing, and tailored to what people actually do in their roles.

Empathy is key. People are smarter than they’re given credit for and so we need to respect that.

That empathy-driven philosophy especially shows up in tough-to-reach groups.

We create empathetic, short, and actionable training that could be completed in a minute or less.

When we can get people to pause and thinking for a moment (even some of the busiest people on the planet) - that’s where real change begins.

t’s not just theory either - we the results to prove this approach works even amogst the toughest users to train.

Take Qualcomm, for example. The organization used targeted security awareness training to reach its most at-risk employees.

The outcome? A 63% reduction in repeat clickers - those who were previously most susceptible to phishing...

And a 46% improvement in high-risk users’ performance over six months.

By personalizing the training journey and focusing on real, actionable behaviors, Qualcomm turned its riskiest user group into one of its most improved.

Real progress is when your riskiest users aren’t just surviving - they’re improving faster than anyone else. That’s the power of personalization.

Effective cybersecurity education isn't about overwhelming employees, it's about building a healthy security culture where security practices are embedded naturally into daily work.

Use phishing simulations to turn theory into habits

Phishing simulations are a cornerstone of behavior change.

You can’t learn to spot cyber threats by theory alone.

It’s the same difference between book learning and real-world experience.

Attack simulations build gut instincts that theory can't.

They give people real practice in a safe environment, and that’s where habits start to form.

And the power of these tools goes beyond just identification... they also give us real data - not just guesses - on how people behave.

Good simulations aren’t about catching people out. They’re about building that fast, almost subconscious recognition when something feels off.

Without continuous education through simulated experiences, you can’t build cybersecurity behavior that holds up under pressure in the real digital landscape.

Adapt training to the learner to boost engagement

Adaptive difficulty is key.

Cybersecurity awareness training should use an adaptive learning framework - not everyone is starting at the same level of cybersecurity knowledge or facing the same potential risks in their roles.

People stay engaged when they feel challenged, but not overwhelmed.

Personalization helps keep training relevant, and adaptive difficulty means the training evolves with the user”.

Even users who initially resist may reach a certain point where they’re ready to change... and continuous, respectful engagement ensures the training is there to catch them when they do.

These resistant users aren’t failures, they’re just waiting for the right experiential moment.

And when it eventually clicks, behavior often changes dramatically.

Behavior change isn’t instant, it’s about being present for the moment people are ready to listen. That’s what adaptive training unlocks

Measure what actually matters

Forget just completion rates.

We need to move beyond those surface metrics.

Engagement over time. Reporting rates. How people respond to real and simulated threats… those are the signals that tell us we’re making a difference.

At Hoxhunt, we find that role-based content wins every time.

When people feel that training reflects their actual threats and context, that’s when they sit up, pay attention, and change their behaviour.

In a strong security culture, employees don’t just memorize answers, they apply cyber hygiene habits, minimizing human cyber risks.

While surface-level scores like quiz completions have their place, what truly matters is whether people pause, think, ask questions, and make better choices in real situations.

Tracking reporting rates on simulated and real security threats tells you if you’re building that muscle memory - not just teaching people to pass a quiz.

Completion rates measure compliance...

Reporting rates and behavior shifts measure culture.

‍

Effective security awareness training reduces real attacks

Our Phishing Trends Report looked at the measurable impact of our personalized, behavior-driven training...

The standard, pre-Hoxhunt performance baseline for cybersecurity training is

• 7% Success rate
• 20% Failure rate
• 80% Miss rates
• (The figures don’t add up to 100% due to separate data sets).

Many enterprise organizations with legacy SAT models often have stagnant Success rates of about 10%, with limited visibility into real threat reporting and dwell time.

We saw that these metrics all drastically improve once emplyees are onboarded with Hoxhunt and steadily improve over time, demonstrating sustainable engagement and resilience.

The chart above includes real cyber threats detected, which is rarely tracked before organizations switch to Hoxhunt.

However, during onboarding a huge shift in threat reporting behavior occurs once training kicks off.

We can see that simulated and real threat reporting are very strongly correlated.

When we train employees to spot simulations, we're also train them to catch real threats.

Half of employees report a real threat 6 months into training and 2/3 of employees report a real threat within one year of beginning training.

‍

Culture change should be the endgame

Behavior shifts are organic and sometimes hard to spot.

It’s not like people talk about cybersecurity training around the water cooler.

But a successful security awareness training program will show subtle signs of shifting culture.

We often hear Hoxhunt employees, for example,  comparing their training scores or casually saying, “let’s double-check the recipient list before sending this email.”

Those moments signal a secure mindset​.

Ongoing training builds this mindset by making security part of everyday work and not just a yearly compliance ritual.

Security isn’t something you learn once - it’s something you practice.

The end goal isn’t just training for its own sake, it’s to weave cybersecurity practices into the very fabric of organizational culture.

A strong security posture depends on creating a culture of vigilance, where reporting a potential cyber incident is second nature, not something employees hesitate to do.

‍

The role of AI and what comes next

With AI tools enhancing both cyber threats and defense, traditional training models are struggling to keep up.

Cybersecurity experts are clear: AI doesn’t just amplify cyber risks - it obliterates outdated advice.

AI-generated phishing attacks are perfectly grammatically correct and culturally attuned, bridging gaps that used to trip up attackers.

Through our own experiments with AI, we found that as of March 2025, AI attacks are now 24% more effective than humans.

The solution? Train people not to spot mistakes but to verify everything through trusted channels.

The future isn’t about playing email detective. It’s about embedding habits of healthy skepticism and smart verification.

‍

Final takeaway: Empathy, relatability and relevance are the keys to successful training

Empathy, relatability, and relevance. That’s really the key… respect your employees, respect their time, their intelligence, and their roles.

Effective security awareness programs aren't about compliance software or passing tests - they’re about treating people like capable partners in defending against cybersecurity breaches.