Cybersecurity Training Programs Don’t Prevent Employees from Falling for Phishing Scams.

That was the headline announcing the results of a large 2025 study by UC San Diego Health that included a series of phishing campaigns that involved nearly 20,000 students.

Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails.

They also found that the difference in failure rates between employees who had completed the training and those who did not was extremely low.

Other findings included:

  • Overall, 75% of users engaged with the embedded training materials for a minute or less.
  • One-third immediately closed the embedded training page without engaging with the material at all.
  • Embedded phishing training only reduced the likelihood of clicking on a phishing link by 2%. This is particularly striking given the expense in time and effort that these trainings require, the researchers noted.
  • More employees fell for the phishing emails as time went on. In the first month of the study, only 10% of employees clicked on a phishing link. By the eighth month, more than half had clicked on at least one phishing link.
  • Some phishing emails were considerably more effective than others. For example, only 1.82% of recipients clicked on a phishing link to update their Outlook password. But 30.8% clicked on a link that purported to be an update to UC San Diego Health’s vacation policy.

“Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,” said Grant Ho, co-author of the study.

While one of the biggest and most recent, the study backs up previous research that reminds us that while we feel obliged to mandate at least some kind of security awareness training, we’re very aware of its limitations. And of the challenges of simply adding more.

The primary goal of the Big Security Talk is to help your existing awareness programs make more sense, feel more personal and relevant, and change more minds and habits.

“It’s not a function of repetition, it’s a function of emotion. It’s not the repetition that’s creating the habit, it’s the emotion that you feel. BJ Fogg, habit expert

To learn about our refreshingly different approach contact Neal O’Farrell