Why Security Awareness Training Doesn't Reduce Breaches - And What Does
The cybersecurity industry has a dirty secret: we have been solving the wrong problem for over a decade.
Every year, organizations worldwide spend an estimated $5.6 billion on security awareness training. Employees sit through hours of e-learning modules, watch videos about password hygiene, and pass quizzes about phishing. Completion rates are tracked. Compliance boxes get checked. Leadership feels good about “investing in the human layer.”
And yet, according to the 2024 Verizon Data Breach Investigations Report, 68% of breaches still involve a non-malicious human element - whether it is clicking a phishing link, misconfiguring a system, or sending data to the wrong recipient. That number has barely moved in a decade.
Something is fundamentally broken. And it is not your employees.
The Knowledge-Behavior Gap
Here is a question that should trouble every CISO: if your employees can pass a security quiz, why do they still click phishing links?
The answer lies in what behavioral scientists call the knowledge-behavior gap. Knowing something and doing something are two entirely different cognitive processes.
You know you should floss every day. You know you should not check your phone while driving. You know you should use unique passwords for every account. How many of those do you actually do, consistently, every single day?
Security awareness training operates on a flawed assumption: that if people know the right thing to do, they will do it. Decades of behavioral science research tell us this is simply not true.
Knowledge is necessary but nowhere near sufficient. Behavior is driven by context, habits, cognitive load, time pressure, and a dozen other factors that a 45-minute annual training module cannot address.
When an employee shares a Google Drive folder publicly instead of restricting it to specific people, it is rarely because they do not know about access controls. It is because they are rushing to meet a deadline, the sharing UI defaults to a less secure option, and the secure path requires three extra clicks. Knowledge did not fail. The environment did.
The Ebbinghaus Problem
Even if knowledge were enough, there is another fundamental issue: people forget almost everything they learn.
In 1885, German psychologist Hermann Ebbinghaus documented what is now known as the forgetting curve. His research showed that without reinforcement, people forget approximately 70% of new information within 24 hours and up to 90% within a week.
Think about that in the context of annual security training. An employee completes a one-hour module in January. By February, they have retained maybe 10-20% of the content. By June, the training might as well have never happened.
Some organizations have responded by increasing training frequency - quarterly instead of annual, or monthly micro-learning modules. This helps with retention, but it still does not solve the core problem.
You can remind someone about phishing every month, but if their daily environment makes risky behavior the path of least resistance, reminders alone will not change what they do.
Completion Rates Are Vanity Metrics
Walk into any board meeting where cybersecurity training is discussed, and you will hear the same metric: “We achieved 97% completion rate on our annual security awareness training.”
This number means almost nothing.
Completion rate tells you that employees sat through the training. It does not tell you whether they understood it, whether they remember it, or - most critically - whether it changed their behavior.
It is the equivalent of measuring a diet’s success by counting how many nutrition books someone bought.
The metrics that actually matter are behavioral ones:
- How many employees are sharing files with overly permissive access settings?
- How many are using personal email for work documents?
- How many have their calendars set to public?
- How many are granting OAuth permissions to unvetted third-party applications?
These are observable, measurable behaviors that directly correlate with organizational risk. But most organizations never measure them because they are focused on the wrong thing: training completion instead of behavior change.
Why the Training Industry Persists
If training does not work, why does the industry keep growing? Three reasons:
1. Regulatory requirements. Frameworks like ISO 27001, SOC 2, GDPR, and France’s own ANSSI guidelines require organizations to demonstrate security awareness activities. Training is the simplest, most auditable way to check that box. It does not matter that it is ineffective - it is documentable.
2. The attribution problem. It is nearly impossible to prove that a breach happened because training failed, or that a breach was prevented because training worked. This ambiguity lets training vendors claim credit for good outcomes and deflect blame for bad ones.
3. Organizational inertia. Security awareness training is a known quantity. Procurement knows how to buy it. HR knows how to deploy it. Management knows how to report on it. Switching to a fundamentally different approach requires rethinking processes, metrics, and vendor relationships. That is hard.
None of these reasons have anything to do with actually reducing risk.
What Behavioral Science Tells Us Actually Works
If traditional training is broken, what is the alternative? The answer comes from decades of behavioral science research, and it looks nothing like an LMS module.
1. Observe Real Behavior, Not Self-Reported Knowledge
You cannot change what you cannot see. The first step is to stop relying on quiz scores and start observing what employees actually do.
This means auditing real SaaS configurations, file-sharing permissions, authentication practices, and application usage patterns.
When you observe that 34% of your employees have their Google Calendar set to public - exposing meeting titles, attendee lists, and conference links to anyone with the URL - you have identified a specific, measurable, actionable risk. No quiz will tell you this. Only observation will.
2. Close the Feedback Loop
Behavioral science is clear on this point: behavior changes fastest when feedback is immediate and specific.
This is why a speed camera is more effective than a driving course. The feedback comes at the exact moment the behavior occurs, in the exact context where it matters.
Applied to cybersecurity, this means that when an employee shares a sensitive document with public access, they should receive immediate feedback - not a generic training module three months later, but a specific nudge at the moment the risky behavior happens, explaining what they did, why it is risky, and how to fix it.
3. Use Spaced Repetition to Fight the Forgetting Curve
The antidote to the Ebbinghaus forgetting curve is spaced repetition - delivering information in small doses, at increasing intervals, timed to the moment when memory begins to fade.
This is the same principle behind language-learning apps like Anki or Duolingo.
Instead of a 60-minute annual training, imagine short, targeted quizzes delivered through Slack or Teams, spaced over weeks and months, each one reinforcing a specific behavior relevant to the employee’s actual role and observed actions.
The quiz about calendar sharing permissions goes to the employee whose calendar is actually public. The quiz about OAuth permissions goes to the team that just connected a new third-party tool.
This is not generic training. It is personalized behavioral reinforcement.
4. Align with the Organization’s Own Policies
Every organization has a security policy (in France, the PSSI - Politique de Securite des Systemes d’Information). These policies define what employees should and should not do. But most employees have never read their company’s PSSI, and even those who have cannot recall its specifics.
The most effective approach ties behavioral feedback directly to the organization’s own policy. Instead of generic best practices, employees learn their company’s specific rules, reinforced through nudges and quizzes that reference the actual policy document their organization has committed to following.
5. Make the Secure Path the Easy Path
The deepest insight from behavioral science is that people default to the easiest option. If the risky behavior is easier than the secure behavior, no amount of training will reliably change outcomes.
This means working with IT to change defaults, simplify secure workflows, and remove friction from the right choices. Observation data is critical here: it shows you exactly where the friction points are, so you can address the environment, not just the individual.
From Training to Behavioral Change
The shift I am describing is not incremental. It is a fundamentally different model:
| Traditional Training | Behavioral Approach |
|---|---|
| Annual or quarterly | Continuous |
| Generic content | Personalized to observed behavior |
| Measures completion | Measures behavior change |
| Delivered in an LMS | Delivered where work happens (Slack, Teams) |
| Based on curriculum | Based on real risk data |
| Tests knowledge | Changes habits |
| Disconnected from policy | Tied to the organization’s PSSI |
This is not about doing training better. It is about replacing training with something that actually works: continuous observation, immediate feedback, and spaced reinforcement grounded in behavioral science.
The Uncomfortable Truth
The cybersecurity industry has spent a decade and billions of dollars on an approach that does not meaningfully reduce human risk. We know this from the data. Breach rates involving human error have not improved despite massive increases in training spend.
The organizations that will lead in the next decade are the ones willing to abandon the comfort of completion rates and embrace the harder, more honest work of changing behavior.
That means observing what employees actually do, not what they say they know. It means delivering feedback in the moment, not in a classroom. And it means measuring what matters: not whether people passed a quiz, but whether they stopped sharing files publicly, stopped granting excessive OAuth permissions, and started following their organization’s security policy in practice.
Training teaches people what to do. Behavioral science makes them actually do it.
The question for every CISO is simple: do you want a compliance checkbox, or do you want fewer breaches?
Sources
- Verizon 2024 DBIR - https://www.verizon.com/business/resources/reports/dbir/
- Gartner Design Report - https://zinad.net/assets/pdf/Design_Gartner_report.pdf
- JISEM - Decision Fatigue and Cybersecurity - https://jisem-journal.com/index.php/journal/article/download/12613/5861/21211
- UChicago - Gaps in cybersecurity training - https://cs.uchicago.edu/news/new-study-reveals-gaps-in-common-types-of-cybersecurity-training/
At EnGarde, we help organizations move from training to behavior change. We observe real SaaS behaviors, ingest your security policy, and deliver tailored nudges and quizzes through Slack and Teams - grounded in behavioral science and the forgetting curve. No LMS. No annual modules. Just measurable behavior change.