Every year, around October, a familiar ritual plays out in organizations across Europe and North America. Someone in IT sends a calendar invite. The subject line reads something like “Annual cybersecurity awareness training, mandatory.” The body contains a link. The training takes between fifteen and twenty-five minutes, depending on how aggressively employees click through the slides. There is a quiz at the end. The questions are not difficult. Nobody fails. A flag turns green somewhere in a spreadsheet. The CISO has a slide ready for the board.

This is not security. This is theatre with a compliance certificate.

cover

In brief

  • Most mandatory awareness programs optimize for audit evidence, not behavior change.
  • Real gains come from fast reporting culture, targeted simulations, and resilient controls.
  • Completion rate is a compliance metric, not a security outcome metric.
  • Boards should track reporting speed and repeat failure reduction, not training hours.

The industry built on low expectations

The global security awareness training market was valued at approximately $5.6 billion in 2023 and is projected to reach over $10 billion by 2027, according to market projections. That is an extraordinary amount of money for an intervention whose primary measurable output is a column in a spreadsheet labeled “compliant.”

The honest version of what most of this budget buys is this: a video nobody watches with full attention, followed by a multiple-choice quiz whose wrong answers are so obviously wrong that even a distracted employee clicking through in a browser tab gets them right. The implicit contract between vendor, buyer, and regulator is clear: the point is not behavior change. The point is documented evidence that the training happened. This is not a bug in the system. It is the system.

What makes it stranger is that everyone involved knows it. Security professionals have been saying this publicly for at least a decade. Academic research on the effectiveness of compliance-driven awareness training is, charitably, mixed, and less charitably, damning. A 2019 systematic review published in Computers & Security found that while some forms of training can temporarily increase threat recognition, the effects decay rapidly and rarely translate into sustained behavioral change in real environments. The decay curve is steep. By month three, most of what was “learned” is gone.

The fire safety poster problem

There is a structural parallel worth examining here. In the 1970s, European manufacturing facilities were full of workplace safety posters. “Watch your hands.” “Wear your helmet.” “Do not operate machinery when tired.” These posters were genuinely believed, by managers and regulators alike, to constitute a meaningful safety intervention. They checked a box on the inspection form. They demonstrated that the company cared about safety.

The factories kept burning. Workers kept getting hurt. The posters persisted.

What eventually changed workplace safety was not better posters. It was process redesign, machine guarding, lockout/tagout procedures, near-miss reporting systems, and cultural accountability that ran from the factory floor to the boardroom. The safety improvement came when the intervention became structural rather than informational. Nobody decided to stop putting up fire safety posters because they did research and proved they were useless. They stopped mattering because better things replaced them.

The analogy to security awareness is almost exact. The assumption behind the annual video-and-quiz model is that security failures are primarily caused by ignorance: employees do not know that phishing exists, do not know they should not click suspicious links, do not know that weak passwords are bad. This was arguably a reasonable hypothesis in 2003. In 2026, it is not. The people who click on phishing links know perfectly well that phishing exists. They click because they are distracted, under pressure, context-switching between fifteen tasks, or because the phishing email is genuinely convincing and arrives at exactly the right moment in a workflow. A twenty-minute annual video does not change any of those conditions.

Compliance as a substitute for security

The deeper problem is not that awareness training is ineffective. It is that its ineffectiveness is, institutionally, tolerable. Nobody loses their job because employees still click on phishing links after completing the annual training. But a CISO who cannot produce documentation of completed training when a regulator comes calling has a very specific and immediate problem.

This is the dynamic that NIS2 and DORA encode, however unintentionally. Both frameworks mandate awareness and training programs. Neither specifies outcomes. Neither requires evidence that behavior changed. They require evidence that training was delivered. The accountability structure rewards documented activity, not demonstrable resilience.

The result is a market that is perfectly adapted to its incentive environment. Vendors sell products that generate completion reports. Buyers purchase those products to generate completion reports. Auditors accept completion reports as evidence of compliance. The system is internally consistent. It just does not make organizations more secure.

This is not an argument against regulation. It is an observation about what happens when regulation specifies inputs rather than outputs. In a different context I have written about how vulnerability management faces the same problem: the metric that gets reported is the number of vulnerabilities scanned, not the number of exploitable attack paths actually eliminated. The underlying logic is identical. We measure what is measurable and then pretend we measured what matters.

What the research actually suggests works

There is a body of research on this, though it is less commercially exploited than the compliance-training market because it is harder to package into an LMS module. The findings are reasonably consistent and align with the broader risk-based guidance from institutions such as ENISA and NIST.

Phishing simulations can work, with caveats. The studies that show positive results involve simulations that are frequent, contextually relevant, immediately followed by targeted micro-training at the moment of failure, and repeated over time. The studies that show negative results, including some showing increased susceptibility after punitive simulations, involve the kind of high-drama “gotcha” campaigns that many organizations run as a proxy for genuine behavior change. The difference is not the simulation itself. It is the organizational intent behind it.

Contextual, just-in-time nudges outperform scheduled training significantly in several controlled studies. A browser warning at the moment a user is about to submit credentials to a suspicious domain is worth more than an hour of annual training. A dialog that asks “are you sure you want to forward this email externally?” at the moment the action is being taken engages the user when and where their attention is relevant.

Psychological safety and reporting culture are perhaps the most structurally important factors, and the ones most systematically ignored by compliance-driven programs. Organizations where employees who report suspicious activity are thanked and where admitting a mistake does not trigger a disciplinary process have dramatically better security outcomes, independent of training quality. The enemy of security is not ignorance. It is the incentive to hide errors. As I have written examining the hidden slowdown in incident response, the cost of delayed reporting is almost always higher than the cost of the incident itself.

Technical controls that reduce the burden on human decision-making produce more durable results than training. Email filtering that catches 99% of phishing before it reaches an inbox is more effective than training employees to recognize the 100% that reaches them. MFA that does not require thought, password managers that eliminate the cognitive load of credential hygiene, browser isolation that physically removes the consequences of clicking a bad link: these are interventions that work regardless of employee attention or training completion status.

The budget question nobody asks at the board meeting

Here is the thought experiment worth running. Take the total annual budget your organization spends on security awareness training: vendor license, internal administration time, the hours of employee time consumed completing the training, the management overhead of tracking completion rates, the IT time spent configuring the LMS. For most medium-to-large organizations, this figure is not trivial. It is frequently in the range of tens to hundreds of thousands of euros, once all costs are included.

Now ask: what would happen to your actual security posture if you took that budget and spent it instead on expanding MFA coverage to the remaining systems that do not have it, on deploying a proper privileged access management solution (a topic I covered in some depth here), on instrumenting your email gateway more aggressively, on adding one more person to your incident response capability, or on running a genuine red team exercise against your most critical assets?

The honest answer is that almost any of those alternatives would produce a more measurable improvement in security posture than the awareness training. The equally honest answer is that none of them produce a clean green flag in the compliance spreadsheet.

This is not a comfortable conclusion to bring to a board. The board wants the green flag. The regulator wants the documentation. The CISO wants to keep their job. The awareness training vendor wants to sell next year’s renewal. Everyone’s incentives align perfectly, and the organization remains approximately as vulnerable as it was before.

There is a version of this story where things improve. It requires regulators who specify outcomes rather than activities, probably something like “demonstrate that your mean time to report a suspected phishing attempt has decreased by X% over the past year” rather than “demonstrate that employees completed Y hours of training.” It requires buyers who are willing to tell vendors that completion rates are not a metric they are willing to pay for. And it requires security professionals who are willing to say, in public and in front of leadership, that the checkbox is empty. This reassessment is already visible in industry commentary, including Dark Reading’s 2026 predictions.

If you want this shift to survive board scrutiny, tie it to a small set of operational metrics reviewed every quarter. Three are usually enough to start: median time from phishing receipt to first employee report, the ratio between employee reports and automated detections, and repeat click rate within 90 days after a failure-and-coaching event. None of these metrics is perfect in isolation. Together, they reveal whether your organization is getting faster, more transparent, and less fragile under realistic pressure.

A practical transition model can be implemented in four steps. First, keep mandatory training only as a baseline compliance artifact, and stop presenting completion rates as a security KPI. Second, run low-drama, high-frequency simulations linked to immediate micro-coaching. Third, harden technical controls so safe behavior becomes the default path in daily workflows. Fourth, measure reporting speed and recovery quality, then adjust incentives so early reporting is rewarded instead of punished.

The fire safety poster is still on the wall. The fire is still happening. At some point, someone has to decide to redesign the machine.

FAQ

Is security awareness training useless?

Not entirely. It is useful as a baseline, especially for legal and regulatory coverage. The problem is treating completion as proof of reduced risk.

What should replace annual checkbox training?

Do not remove it overnight. Keep a lightweight baseline, then invest in high-frequency simulations, just-in-time nudges, and controls that reduce human error impact.

Which metrics are better than completion rate?

Start with three operational indicators: time to first employee report, repeat click rate after coaching, and ratio between employee reports and automated detections.

How can this be presented to the board?

Frame it as a shift from activity metrics to resilience metrics. Show trend lines quarter by quarter and tie each metric to business impact (faster containment, lower incident spread, lower recovery cost).