9
Does Security Awareness Training Even Work? Fixing the Flaws Behind “Training Fails” Headlines
We break down why traditional, compliance-driven security awareness and phishing programs underperform and fuel “training doesn’t work” headlines like the UC San Diego / Wall Street Journal study.
Show Notes
“Security awareness training doesn’t work” makes for a punchy headline. But is the problem training itself - or the way most organizations still run compliance-driven, once-a-year programs?
In this episode, host Eliot Baker sits down with global security awareness leader David Badanes to dissect the latest “training fails” narratives (especially the UC San Diego study amplified by the Wall Street Journal) and contrast them with what actually works in high-performing human risk programs.
They break down the three failure modes of legacy awareness (content, cadence, culture), show how to rebuild around behaviour change and reporting, and give you language to push back when executives show up with the latest “training doesn’t work” article in hand.
What you’ll learn in this episode:
- The three failure modes of legacy awareness programs: broken content, broken cadence, and broken culture.
- Why annual modules and quarterly cookie-cutter phishing tests create “security tourism,” not real habit change.
- How to rebuild around role-based, adaptive, micro-learning paths that challenge people at the right level.
- Where gamification, rewards, and opt-in “spicy mode” simulations help and where they can blow up trust.
- Why click/failure rate is a weak north star, and how to use resilience ratio, time-to-report, and real-phish-to-sim-phish pipelines instead.
- How to embed “stop work authority” into digital life so employees can safely slow down urgent requests across email, Teams, Slack, WhatsApp, and SMS.
- What the UC San Diego / WSJ study got right about bad training, where the methodology falls short, and how to brief your leadership on it.
- The qualitative signals that a culture-first awareness program is working (water-cooler conversations, proactive reporting, and cross-functional pull from finance, M&A, and beyond).
Timestamps:
(00:00) Why “training doesn’t work” headlines keep coming back
(02:00) Content, cadence, and culture: three failure modes of awareness
(04:30) From “security tourism” to continuous skill building
(06:30) Rebuilding the model: people, process, then technology
(09:00) Role-based and adaptive paths (and where AI actually helps)
(11:00) Gamification, leaderboards, and avoiding public shaming
(14:00) Opt-in “spicy mode,” emotional reactions, and handling backlash
(19:00) Phishing beyond email: Teams, Slack, WhatsApp, SMS and more
(21:00) Stop work authority: slowing down urgent requests without blame
(22:00) Why failure rate is not your north star metric
(24:00) Resilience ratio, time-to-report, and protecting your colleagues
(26:00) Tying recognition and performance reviews to cyber-safety behaviour
(28:00) Handling repeat clickers without creating fear and avoidance
(33:00) The UC San Diego / WSJ study: what it got right and wrong
(36:00) What “good” looks like when training actually works
Resources:
- Wall Street Journal coverage of the UC San Diego cybersecurity training study: https://www.wsj.com/tech/cybersecurity/cybersecurity-training-study-f290518d
- Our take on the WSJ article: https://hoxhunt.com/blog/the-wall-street-journal-got-it-wrong-phishing-simulations-work-when-done-right
Host links:
- Eliot Baker: https://fi.linkedin.com/in/eliotebaker
- David Badanes: https://www.linkedin.com/in/dbadanes
Full Conversation Breakdown
In this episode of All Things Human Risk Management, host Eliot Baker is joined by global security awareness leader David Badanes to ask a blunt question: does security awareness training even work, or is most of it just compliance theatre? They unpack why “training doesn’t work” headlines (including the UC San Diego study amplified by the Wall Street Journal) keep coming back and what a behavior-focused, culture-aware program actually looks like in practice.
Most “training fails” because of content, cadence, and culture
The problem isn’t the idea of training; it’s the way most organizations do it. Generic, threat-focused content, annual CBT modules, and quarterly cookie-cutter phishing tests produce nice optics and weak outcomes. Culture finishes the damage when mistakes are punished instead of used as learning fuel.
“Bad training yields bad results - that doesn’t mean all training is useless.”
From security tourism to continuous habit-building
Quarterly exercises turn security into “tourism”: a brief visit to Security Land instead of a habit. Real skill-building looks more like learning guitar or a language - small, frequent reps, not an annual cram. The goal is to normalize constant low-friction exposure, not rare high-stakes tests.
“Once-a-year training builds checkboxes, not reflexes.”
People, process, then technology
Dropping in a new platform doesn’t fix a broken program. David argues for aligning leadership, HR, IT, and business units around a clear vision of digital safety first, then designing processes, and only then choosing tools. The tech should amplify a culture and model that already make sense.
“Don’t expect a tool to solve a people-and-process problem.”
Adaptive, role-based learning paths
You don’t need a bespoke curriculum for every individual; you need smart archetypes and adaptive difficulty. Group people by function, geography, and level, then let performance drive how hard and how often they’re challenged. AI is useful for finding that “right edge” where people are stretched but not constantly failing.
“People learn best when they’re challenged enough but not crushed.”
Gamification that rewards reporting, not shame
Gamification works when it celebrates useful behavior (reporting suspicious messages, engaging with content) and avoids public humiliation. Leaderboards and badges can motivate individuals and teams, as long as low performers get private coaching, not public blame. Rewards must map to real risk reduction, not vanity stats.
“Use points to pull people in - not to push them out.”
Spicy mode, realism, and backlash as opportunity
High-fidelity, emotionally charged simulations (“spicy mode”) can teach what real attacks feel like, but they’re a minefield if misused. Opt-in, strong HR/exec backing, and a fast feedback loop are critical. When people complain, it can be a chance to engage, explain the why, and convert critics into advocates.
“Realism is good; breaking trust is not.”
Beyond email: multi-channel risk and stop-work authority
Attacks no longer live only in the inbox - Teams, Slack, WhatsApp, SMS and other channels are in play. Training must set clear expectations for which channels are legitimate for which types of requests. Borrowing from physical safety, employees should have “stop-work authority” to slow or halt suspicious digital actions without fear of punishment.
“Treat an odd WhatsApp from ‘the CFO’ like a slippery factory floor - stop, then fix.”
Better metrics: resilience ratio and mean time to report
Click/failure rate is easy to understand and easy to game. More meaningful measures include the resilience ratio (reports vs clicks) and mean time to report real phishing. These metrics focus on engagement and protective behavior, not just avoiding embarrassment on a board slide.
“Completion shows who watched; reporting shows who’s actually helping.”
Culture levers: recognition, feedback loops, and repeat clickers
Positive recognition from leadership and tying cyber behavior into existing safety/performance frameworks makes security part of “how we work,” not a side quest. Feedback on reported messages (“what happened after I clicked report?”) closes the loop and reinforces agency. Repeat clickers need context and coaching, not stigma: understand their devices, workload, and reality before you “fix” them.
“You can’t help someone if you don’t understand how they actually work.”
Rethinking the “training doesn’t work” studies
David agrees with the core criticism: generic, compliance-focused, click-rate-obsessed programs are ineffective. Where he pushes back is extrapolating that to all training. Selection bias, confounding variables, and short time horizons skew the picture toward bad programs. The right conclusion is not “end training” but “end this kind of training.”
“The study is an indictment of bad programs - not proof that all programs are pointless.”
What “good” looks like in the wild
Effective programs show improvement in reporting volume, resilience ratio, and time-to-report but the strongest signals are qualitative. People talk about phish with colleagues, share suspicious messages, pull security into ERP buys and M&A deals, and see cyber as part of getting their job done. Those behavior and relationship shifts never fit neatly into a single percentage.
“The real win is when the business starts inviting security in - unprompted.”
Takeaways you can implement now
- Replace annual CBT + quarterly sims with smaller, more frequent, role-based touches.
- Define 3-5 role archetypes and launch adaptive difficulty paths instead of one-size-fits-all.
- Shift gamification to reward reporting and engagement; remove public shaming mechanics.
- Introduce “spicy mode” as opt-in only, with clear guardrails and a fast review loop.
- Extend training and rules to Teams/Slack/WhatsApp/SMS, and formalize digital stop-work authority.
- Rebuild your dashboard around resilience ratio, mean time to report, and real-phish reporting volume.
- Add a clear feedback message to your report button so people see how their actions help.
- Create a small cohort program for repeat clickers that starts with interviews about their context, then adjusts training accordingly.
- Brief leadership on the UCSD/WSJ narrative and reframe it: kill bad training, not all training - then show the alternative model you’re building.
See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.