840 words, 4 minutes read time.
When it comes to cybersecurity, phishing remains one of the most persistent and challenging threats. Despite advancements in technology, attackers continually find ways to exploit human vulnerabilities. To combat this, organizations often invest heavily in phishing awareness training for employees, including mandatory annual sessions and simulated phishing campaigns. But how effective are these measures in practice?
A groundbreaking study from the 2025 IEEE Symposium on Security and Privacy sheds light on this pressing question. Conducted over eight months with more than 19,500 employees in a large healthcare organization, the research delivers some sobering insights. The findings suggest that common approaches to phishing training may fall short of their intended goals, raising critical questions about the value of these programs and how organizations should approach cybersecurity in the future.
Phishing: A Persistent Problem
Phishing attacks are the leading cause of data breaches. According to a 2023 IBM study, phishing accounted for 16% of all successful breaches. In healthcare, the stakes are even higher. In 2023 alone, over 725 large data breaches affected more than 133 million health records, often linked to ransomware incidents.
Organizations worldwide respond by mandating employee training. The idea is simple: educate users to become “human firewalls,” capable of identifying and avoiding phishing scams. However, this study questions whether these training programs, as currently implemented, are worth the time and resources.
Key Findings of the Study
The study conducted a randomized controlled trial involving ten simulated phishing campaigns. Employees were exposed to various forms of training, including annual awareness courses and embedded exercises triggered by phishing simulations. Here’s what the research uncovered:
1. Annual Training Provides Little Value
The study found no significant correlation between how recently an employee completed their annual training and their ability to avoid phishing scams. Employees who had just completed their training were no better at avoiding phishing emails than those who hadn’t trained for over a year.
This is a stark revelation, as annual training is a cornerstone of most corporate cybersecurity strategies. If this method doesn’t deliver measurable results, organizations may need to rethink their reliance on such programs.
2. Embedded Training Has Minimal Impact
Embedded phishing training—where users who fall for simulated phishing emails are immediately redirected to educational content—offered only a slight reduction in failure rates. The study revealed an average improvement of just 1.7% compared to untrained employees.
Moreover, certain training formats appeared to do more harm than good. Static training sessions, where users were presented with generic educational content, showed no measurable benefits and, in some cases, even increased the likelihood of future failures.
3. Users Spend Minimal Time on Training Materials
One of the most striking findings was that most employees engaged only briefly with training materials. Over 50% spent less than 10 seconds on embedded training pages, and less than 24% formally completed their training sessions.
This lack of engagement raises doubts about the effectiveness of training as a standalone solution. If users don’t engage with the material, can we expect meaningful behavior changes?
4. Interactive Training Shows Promise but Faces Challenges
The study found that interactive training sessions, where users engaged with dynamic, contextual content, led to better outcomes. Users who completed these sessions were 19% less likely to fail future phishing simulations.
However, this benefit came with limitations. Only a small percentage of employees completed interactive training, highlighting a broader issue of engagement. Without widespread participation, even the most effective training methods struggle to achieve meaningful impact.
5. The Importance of Phishing Lure Design
The study also revealed that the effectiveness of training is heavily influenced by the design of phishing lures. For instance, some lures achieved failure rates of over 30%, far outpacing the modest benefits of training.
This variability underscores the importance of addressing not just user behavior but also the sophistication of phishing tactics.
Implications for Organizations
Rethinking Training Programs
Organizations need to evaluate the return on investment (ROI) of traditional phishing training. The data suggests that such programs, as currently deployed, offer limited value. Instead, companies should explore alternative approaches that emphasize engagement and real-world applicability.
Leveraging Technology for Better Defense
Given the limitations of human-focused training, organizations should consider strengthening technical defenses. Advanced email filtering, multi-factor authentication, and AI-driven threat detection can serve as more reliable safeguards against phishing attacks.
Fostering a Security-First Culture
While training alone may not suffice, cultivating a broader culture of cybersecurity awareness remains essential. Regular communication, leadership buy-in, and practical simulations tailored to organizational risks can help reinforce vigilance without over-relying on formal training sessions.
Conclusion: The Path Forward
This study paints a sobering picture of the current state of phishing training. As phishing tactics evolve, relying solely on awareness programs may no longer be enough. Organizations must adopt a multifaceted approach that combines technological solutions, smarter training strategies, and a commitment to ongoing security education.
For a detailed look at the research, see the full study: G. Ho et al., “Understanding the Efficacy of Phishing Training in Practice,” in 2025 IEEE Symposium on Security and Privacy, doi:10.1109/SP61157.2025.00076.
