Cybersecurity Training Proves Ineffective

A University of California San Diego Health study, Understanding the Efficacy of Phishing Training in Practice, challenges the assumption that cybersecurity training alone can keep employees from falling victim to phishing.

Over the course of an eight-month randomized controlled trial, researchers tracked 19,500 employees through 10 simulated phishing campaigns and found that there was no significant relationship between whether users had recently completed mandated cybersecurity training and the likelihood of falling for phishing emails. While only 10 percent of the workers clicked on a phishing link during the first month of the study, by the eighth month, 56 percent of all participants clicked on at least one malicious message.

Phishing attacks exploit distraction, emotional triggers, and habit. According to the report, phishing is the largest source of successful cybersecurity breaches. In all, researchers found that phishing modules within cybersecurity training only reduced the likelihood of clicking on a phishing link by 2 percent compared to the training program without a phishing component.

One of the problems is that participants aren't giving the training much time and attention. The research shows that more than half of all training sessions ended within 10 seconds.

The UC San Diego researchers also found that click rates varied significantly depending on the theme of the phishing lure, reinforcing that the persuasiveness of the message often outweighs training benefits. The researchers note that participants didn't meaningfully engage with the training program, and when they did, it didn't make much of a difference.

The study serves as a reminder that behavior change requires more than information transfer. According to the 2025 ResearchGate study, "Assessing the Efficacy of Security Awareness Training in Mitigating Phishing Attacks," effective programs need to deliver timely cues, spaced reinforcement, and realistic practice under conditions that mirror actual decision making. Further, Cornell University's "Content, Nudges and Incentives" study notes that more generic training tends to falter, while adaptive approaches that use microlearning, nudges, gamified reinforcement, and scenario-based exercises produce stronger results.

Nonetheless, UC San Diego's researchers conclude that technical solutions would prove more effective to combat phishing: two-factor authentication for software and hardware, in addition to password managers that function only on correct domains.