Back to News
August 24, 2025

Why cyber safety training fails. And how we fix it.

The uncomfortable truth

  1. We're mandating cybersecurity training that makes people 18.5% more likely to fall for phishing attacks.
  2. An entire compliance industry profits from solutions that actively harm security.
  3. The academic evidence is overwhelming. The authorities know better. Yet we keep doubling down on failure.
  4. Employees are no safer, and organisations face cultural harm on top of cyber risk.

The current reality

Estimates put the global cost of cybercrime at roughly 10.5 trillion USD per year as of 2025. That would rank as the world's third largest economy. [1]

Phishing drives 85% of reported cyber attacks on businesses. Even on conservative measures it remains the most common entry point: IBM's Cost of a Data Breach analysis attributes 16% of analysed breaches to phishing. [2]

Training should be the first line of defence. The evidence says otherwise.

A landmark randomised controlled study of 19,500 employees at a large healthcare organisation ran ten phishing campaigns over eight months. It assessed annual awareness modules and embedded phishing training.

The key findings are stark.

  1. Static training made people worse at spotting phishing. The authors report that “users who complete multiple static training sessions have a 18.5% increased likelihood of failing for each additional training they complete.” [3]
  2. Engagement often collapsed. “Between 37–51% of all training sessions have no engagement at all: users simply close the page immediately.” [3]
  3. Even when training worked, the benefit was negligible. “On average, users in the training groups have only a 1.7% lower failure rate than those in the control group.” [3]
  4. Their conclusion is clear. In common forms as deployed today, training is “unlikely to offer significant value relative to its considerable expense in time and effort.” [3]

Meanwhile, punitive phishing gotchas have damaged trust. GoDaddy's fake holiday bonus test triggered public criticism and an apology [4], and in the UK, West Midlands Trains faced a backlash after a fake COVID bonus lure. [5]

What we have learnt

The leading authorities are not calling for more of the same. They emphasise layered controls, supportive culture, and measurable behaviour change.

  1. NCSC UK warns that simulations and punishment erode trust, and that relying on users to spot every phish wastes time and money. [6]
  2. ENISA's guidance treats cybersecurity as a behavioural and cultural challenge, advocating human-centred approaches. [7]
  3. NIST advocates a lifecycle learning program that encourages behaviour change, uses role-based content, and includes metrics to evaluate and improve the program. Annual checkbox modules are insufficient on their own. [8]
  4. Academic evidence beyond the UCSD study points the same way. A 15-month, 14,000-employee study reported no positive effect and signs of harm from embedded training as commonly delivered. [9]
  5. A controlled trial found no significant benefit from spear-phishing training. [10]
  6. Benefit often comes from the periodic reminder rather than the content itself, which many users do not consume. [11]
  7. Research on timing effects shows that reminder cadence matters. [12]

And yet the default is still punitive phishing. Fail a ‘phish’ and you get sent to ‘learning’.

The deeper problem: training the wrong response

Cybercriminals succeed because they are psychological manipulators. They exploit human nature, and they understand our hardwired responses: authority bias (“this looks official”), loss aversion (“I'll get in trouble”), and time pressure (“urgent response required”).

Traditional training reinforces these exact vulnerabilities by creating anxiety around getting it wrong, rather than building confident decision-making.

Instead of developing psychological resilience against manipulation, we are conditioning people to be more compliant and fearful. Exactly what helps criminals.

How we fix it

Stacey Edmonds, our co-founder, recognised the problem in 2015 and tested a different approach: when cyber safety becomes consumer-grade, enjoyable and measurable, people engage, and behaviour changes.

That approach is now two products. Phishy or Not? for business. Dodgy or Not? for education. And every Phishy or Not? subscription subsidises Dodgy or Not?. That's how the pricing works.

From compliance to competence

Phishy or Not? replaces your phishing simulation and your learning module. One honest measurement of human risk, delivered through scenario-based play. Built for the threats AI creates, across every channel your people face. Play it before you live it.

Every design choice answers a failure documented above:

  1. Positive, not punitive. Gotcha tests erode trust and condition fear; that is the NCSC's own warning. [6] We replaced shame with play: no tricked employees, no walk of shame to a remedial module. An employee benefit, not a gotcha.
  2. Chosen, not mandated. The UCSD trial found 37–51% of training sessions get zero engagement. [3] Phishy or Not? runs at 95% voluntary completion. When it isn't a penalty, people choose to play, and the instinct goes home with them.
  3. Instinct, not anatomy. Scams work by hijacking split-second judgement: authority, urgency, loss. Slides can't train a reflex; repetition, feedback and play can. We teach the signs. Whatever the scam, whatever the format, the signs stay the same.
  4. Every channel, not just email. Vishing, smishing, quishing, deepfakes and DMs. When a new threat hits, it's a scenario the same day, sourced from government advisories and a network of CISOs who see attacks first.
  5. Continuous, not episodic. The research says benefit comes from cadence, not annual content dumps. [11][12] Short scenario-based play keeps the instinct current without stealing the workday.
  6. Measurement that matters. NIST calls for metrics and behaviour change, not attendance records. [8] We measure what people actually do, across 27 behavioural signals, and whether their confidence matches their competence. Behaviour, belief, and the gap between them. Audit-ready, mapped to compliance frameworks.

Measured where it counts

In independent controlled trials, organisations using Phishy or Not? saw a 2x click-rate reduction against industry benchmark, and people 83% more likely to report suspicious messages. Average user rating across enterprise deployments: 9.8/10.

The choice

Cybercrime is accelerating, AI is making every attack more convincing, and the evidence above says traditional training won't move the dial.

Keep funding failure, or build the instinct.

For business: Book a Phishy or Not? demo

For education: Explore Dodgy or Not?

Sources and research evidence

  1. Cybersecurity Ventures. 2023. “Cybercrime To Cost The World $10.5 Trillion Annually By 2025.” cybersecurityventures.com/cybercrime-damage-costs
  2. IBM Security. 2023. “Cost of a Data Breach Report 2023.” Phishing identified as sixteen percent of breaches. ibm.com/reports/data-breach
  3. Ho, G., Mirian, A., Luo, E., Tong, K., Lee, E., Liu, L., Longhurst, C. A., Dameff, C., Savage, S., and Voelker, G. M. 2025. “Understanding the Efficacy of Phishing Training in Practice.” IEEE Symposium on Security and Privacy. sysnet.ucsd.edu/~voelker/pubs/phishtrain-oakland25.pdf
  4. CBS News. 25 Dec 2020. “GoDaddy apologizes for ‘insensitive’ phishing email offering bonuses to employees.” cbsnews.com
  5. The Register. 11 May 2021. “Train operator phlunks phishing test by teasing employees with non-existent COVID bonus.” theregister.com
  6. National Cyber Security Centre UK. Reviewed 13 Feb 2024. “Phishing attacks: defending your organisation.” See section on problems with phishing simulations. ncsc.gov.uk/pdfs/guidance/phishing.pdf
  7. ENISA. 2019. “Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity.” enisa.europa.eu
  8. NIST Special Publication 800-50 Rev. 1. September 2024. “Building a Cybersecurity and Privacy Learning Program.” csrc.nist.gov/pubs/sp/800/50/r1/final
  9. Lain, D., Kostiainen, K., and Capkun, S. 2022. “Phishing in Organizations: Findings from a Large-Scale and Long-Term Study.” IEEE Symposium on Security and Privacy. arxiv.org/abs/2112.07498
  10. Caputo, D. D., Pfleeger, S. L., Freeman, J. D., and Johnson, M. E. 2014. “Going Spear Phishing: Exploring Embedded Training and Awareness.” IEEE Security and Privacy 12(1): 28–38. ieeexplore.ieee.org/document/6727446
  11. Lain, D., Jost, T., Matetic, S., Kostiainen, K., and Capkun, S. 2024. “Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training.” ACM CCS. arxiv.org/pdf/2409.01378
  12. Reinheimer, B., Aldag, L., Mayer, P., et al. 2020. “An investigation of phishing awareness and education over time: When and how to best remind users.” USENIX SOUPS. usenix.org/conference/soups2020