Why Your Security Awareness Training Doesn't Stick

Gwen Betts // October 23, 2025

The Big Idea

Security awareness and training exercises are widely seen as ineffective. Security teams, leadership, compliance officers, and trainees all have valid and significant complaints.
Multiple studies confirm that security training doesn't improve security outcomes. People continue to make mistakes despite extensive training.
Security training exercises share the same flaws regardless of delivery method. They're boring, forgettable, and do little to change behavior for the better.
Cognitive security accomplishes what security training fails at. It prevents risky behaviors and stops security incidents by intervening when users are most in need of assistance.

Consider two statistics side by side.

Spending on security awareness and training will grow from around $1 billion annually in 2014 to over $10 billion by 2027.
Cyber crime costs will surge from $8.4 trillion in 2022 to over $23 trillion by 2027.

Based on these numbers, it's hard not to conclude that rising spending on security training isn't translating into fewer attacks, smaller losses, or less chaos. More training has not helped people stay safer.

While these numbers are stark, they will not be a surprise to anyone who's been personally involved with security training:

Security and risk leaders spend massive sums on training tools only to see users repeat the same errors ad nauseam.
Executives and compliance teams view training as a check-box measure, with an ROI that's either elusive or non-existent.
Trainees at all levels of the organization widely see security training as an annoying distraction to be ignored or avoided.

It's time to admit that traditional security training isn't working, and that no amount of additional spending will fix the fundamental flaws. We'll explain why by highlighting those flaws, demonstrating why security training doesn't stick, and then outlining an alternative that's an improvement in every way.

The Truth About Security Training

A growing body of research proves that security training, no matter the topic, format, or cadence, has minimal impact on reducing human risk and preventing security incidents:

A major study of phishing simulations showed that prior training did nothing to lower phishing email open rates.
Another study showed that open rates and reporting rates were not meaningfully improved through phishing training.
Researchers found that people who knew more about phishing were more likely to fall for phishing lures.

The success of security training is often measured in completion rates, compliance requirements, and satisfaction surveys. When measured in terms of real impacts on security outcomes, however, security training consistently proves to have an underwhelming influence. It doesn't make people better prepared to see and stop incoming cyber threats, which is why companies still suffer through phishing attacks and data breaches no matter how much time, money, and energy they invest in training.

It's true that security training doesn't work as well as anyone wants. It's also true, however, that training remains an important part of any comprehensive security strategy.

People need a baseline understanding of threats, risks, and secure practices, and security training makes sure that's consistent across departments, roles, and ranks. Training is also a good way to assess the overall security awareness of employees and identify people who might be especially problematic.

In that way, security training is a great tool for evaluation, and it can serve as a foundation for other security efforts. But it's much less reliable for prevention and protection. Let's dig into why security training falls short when it matters most.

The False Hope of Security Training

We assume that teaching people how to identify red flags and avoid risky behaviors will make them safer outside of training situations. But all the data says otherwise. People are still opening phishing emails, clicking malicious links, downloading suspicious attachments, and handing over sensitive information despite repeated reminders not to. Here's why:

Second-Class Status: Many employees view productivity, not security, as their first priority. That makes security training and safe practices seem like a distraction at best and an obstacle at worst, causing people to disengage from training materials and undermine security controls.

Knowledge Decay: It takes as little as one month for the lessons taught in security training to start fading. There's also a large difference between how much people can remember, how long they retain information, and how quickly they can recall important details.

Training Fatigue: Too much training (too frequently, too long, too much information) causes fatigue to set in, at which point people tune out or find any excuse to avoid it. With every additional training, the problem gets worse, and security does not get better.

False Progress: High scores on security training can lead to a false sense of protection that causes the security team to underestimate human risks and leads executives to dedicate less focus and budget towards cybersecurity.

Missing Context: Making the right choice in a simulated environment is much easier than doing it during a busy workday. People who excel at security training won't necessarily be prepared to handle attacks in a different context, with less support and more pressure.

Cognitive Overload: Real as are merciless about manipulating emotions, overcoming objections, and pressuring people to act. Training environments are rarely as ruthless or relentless, leaving people unprepared for the cognitive overload they experience when the stakes are real, not simulated.

When all these factors combine, the result is that people confronting attacks in the wild see negligible benefit from their security training. It's often irrelevant, incomplete, impossible to recall, or all three, leaving your workforce wildly unprepared even after years of regularly scheduled security training.

Curbing Human Risk With Cognitive Security
and Right Time Prevention

Security training doesn't stick because it happens well before a risky action. At that security moment, people often forget the information, or don't know how to apply whatever they do remember. This is now especially true with AI making social engineering more simple, scalable, and sophisticated than ever before and security policies containing a plethora of rules, conditions, and legal language that's impossible to recall.

Cognitive security takes a drastically different approach to preventing human risk and preparing people for today's aggressive threat landscape. Instead of expecting that memory and motivation will be enough to get people to make smart choices in complicated, high-stress situations, a cognitive security solution supplies protection and education at the moment of need.

It helps people to see subtle red flags, learn where and why risks exist, and understand exactly how to proceed in a secure, compliant, policy-approved manner. And a cognitive security solution like Maro shows people what to do at the exact moment when having (or not having) that information makes the biggest difference for security outcomes.

Timing makes cognitive security significantly more effective as both a guidance tool and as a preventative protection. Consider what it can do that conventional security training cannot:

Antidote to Emotion: Attackers prey on fear, confusion, excitement: whatever it takes to make someone act without thinking clearly. Cognitive security steps into those situations to help people proceed based on critical thinking and rational thought rather than emotion and intuition.

Education Without Distraction: Cognitive security doesn't distract people from the productive work they want/need to be doing. More importantly, it aligns with the situational context, matching the security guidance to the environment, threat, compliance requirements, and policy prescriptions.

Catalyze Behavior Change: Influencing behavior takes feedback, repetition, and contextual clues, not occasional training. Cognitive security supplies all three in order to change how people identify risks, avoid hazards, and practice cybersecurity.

Security Culture Creator: Cognitive security makes it clear that cybersecurity is an all day, everyday experience where every click has consequences. People become moreengaged, leading to a collaborative security culture instead of an exercise in checking compliance boxes.

Measure What Matters: Metrics like participation rates, test scores, and training hours reveal nothing about human risk reduction. Cognitive security tracks risky behaviors in real-time, providing a comprehensive view into problem areas for targeted guidance.

Human risk has been highly resistant to previous solutions in no small part because they worked against human agency and clashed with our natural thought processes. Cognitive security works so well precisely because it anticipates what your workforce needs and builds security measures and solutions to match.

Getting Started With Cognitive Security

Cognitive security may represent a radical alternative to security training and a major shift in how companies handle human risk, but getting started is simple. That's because cognitive security works seamlessly beside your workforce, complementing their existing workflows and individual styles. This becomes abundantly clear after seeing how cognitive security works in action, so we encourage you to explore the resources below.