Security awareness training: what works and what's a waste of time

An annual 60-minute security video is a waste of time. Quarterly 10-minute targeted sessions actually work. Here's the programme that gets results.

People forget 80% of what they heard in an annual training within 2 weeks. That's why any approach beats "watch a video and call it done".

What does work

• Short and frequent: 10–15 minutes per quarter, not 60 minutes per year.
• Contextual: recent phishing examples spotted internally, not generic samples from 2019.
• Interactive: phishing simulations that employees actually encounter themselves. Tools like KnowBe4 and Cofense.
• Immediate feedback: anyone who clicks gets instant (friendly) feedback — not a group blame email.
• Role-based: finance gets invoice-fraud training, HR gets social-engineering-for-new-hires training.

What doesn't work

• An annual mandatory 60-minute video to "watch before Q4".
• Tests focused primarily on compliance ("proving we did training") rather than actual learning.
• A blame culture after phishing simulations.
• Generic content with no connection to your own company's context.

Onboarding

Every new employee gets a 30-minute intro session covering security basics, plus a short refresher after 30 days. Better retention than a large dose on day one.

Measurable results

• Phishing click rate: measure a baseline, then aim to halve it within 6 months.
• Reporting rate: how many phishing simulations do people report? Target: > 70% reported within 2 hours.
• Incident response time: in a real incident, how quickly do people report it? A better metric than simulations alone.

See also: recognising phishing, security pillar.