How to Build a Security Awareness Training Program That Actually Works

Phishing simulations serve two purposes: measuring the current state of phishing susceptibility in your organization, and triggering targeted training for users who click. Both purposes require simulation design choices that many programs get wrong.

For measurement, simulations need to be representative of real phishing techniques targeting your organization. A simulation that uses obviously fake scenarios measures only whether users can detect cartoonishly bad phishing — not whether they are susceptible to the credential harvesting and BEC attacks that actually reach their inboxes. Review your email security gateway logs quarterly to identify the phishing techniques most commonly blocked: those are the techniques your simulations should replicate.

Avoid the practice of deliberately embarrassing employees who click. 'If you had clicked this link, your credentials would have been compromised' splash pages that emphasize failure produce resentment and underreporting of suspicious emails — two outcomes that make your security program less effective. Replace shaming with immediate, helpful education: 'Here is what made this email suspicious, and here is how to report emails like this.'

Send simulations to all employees monthly, not just to prior clickers. Susceptibility is not a static individual trait — it correlates with workload, stress, and contextual factors that change week to week. Monthly simulation frequency produces more reliable cohort-level susceptibility data than quarterly or annual schedules.

Training content that changes security behavior has three characteristics: it is relevant to the specific threats the employee faces in their actual role, it provides actionable guidance for specific situations rather than generic principles, and it is delivered in short, frequent sessions rather than long annual modules.

Role-based training segmentation is the most impactful content design choice. The security training relevant to a finance employee (wire transfer fraud, BEC recogntion, invoice tampering) is almost entirely different from the training relevant to a software developer (secure coding, secrets management, dependency security) or an executive assistant (spear phishing recognition, executive impersonation). Generic organization-wide training that attempts to cover all these scenarios produces training that is relevant to nobody.

Microlearning format — two to five minute training modules triggered by specific behaviors or events rather than scheduled annual modules — produces significantly better retention than long-form training. A two-minute module on BEC recognition delivered immediately after an employee clicks a BEC simulation email is 10 times more effective than the same content delivered in a 45-minute annual training module six months before the click.

Train specifically for your incident reporting process. Most employees who notice suspicious activity do not report it because they do not know how, are afraid of being blamed, or do not think their report will be acted on. A security awareness program that produces high incident reporting rates from employees is more valuable than one that produces low phishing click rates — early incident reports from employees often arrive before automated detection, providing faster containment time.

Security culture — the degree to which security-conscious behavior is the default across an organization, regardless of whether anyone is watching — is the goal that security awareness training exists to support. Culture is built through consistent leadership modeling, visible positive reinforcement for secure behavior, psychological safety for reporting mistakes, and the perception that security policies exist to protect employees rather than surveil them.

Leadership participation in security awareness training is the single most impactful culture signal available. When executive leadership is visibly subject to the same phishing simulations, training requirements, and security policies as the rest of the organization, the implicit message is that security is everyone's responsibility. When executives are exempted from training or receive different policies, the message is the opposite.

Create a recognition program for employees who report phishing emails, identify suspicious activity, or demonstrate proactive security behavior. Positive reinforcement for the behaviors you want is more effective than negative consequences for the behaviors you want to reduce. A 'security champion' program — identifying and recognizing employees in each department who demonstrate strong security behavior — extends your security awareness reach without expanding the security team headcount.

Measure security culture annually using a structured survey instrument. SANS's Security Awareness Maturity Model provides a validated maturity framework from Compliance-Focused (lowest) to Long-Term Sustainment and Culture Change (highest). Use the maturity model output to identify which culture dimensions need targeted improvement rather than treating culture as a single metric.

Training completion rate measures whether employees clicked the 'complete' button at the end of a training module. It measures nothing about whether behavior changed. Replace completion rate as your primary metric with behavior-based measures.

Phishing simulation click rate trend (monthly, by cohort and department) is the most direct behavior measure for phishing training effectiveness. Track it monthly and segment by department to identify groups with persistently high click rates that need targeted intervention. A 30% overall click rate that has trended down from 52% over six months indicates an effective program even if 30% is above benchmark.

Incident report rate measures how many employee-initiated reports of suspicious emails, devices, or behavior your security team receives per month relative to organization size. A rising incident report rate is a positive signal: more employees are noticing and reporting security concerns rather than ignoring them. Rising report rates with falling click rates is the ideal combination.

Post-phish reporting rate measures whether employees who click a simulation email subsequently report it as suspicious. An employee who clicks and then reports the email has demonstrated the most important security behavior: recognizing the mistake and escalating it. This metric is often ignored in favor of click rate alone, but it is a better predictor of whether employees will report real incidents.

A security awareness program that reduces phishing click rates, increases incident reporting, and builds a culture where employees are active participants in security rather than passive compliance targets requires continuous effort across simulation design, content relevance, microlearning delivery, and culture reinforcement. The compliance checkbox version of this program costs roughly the same and produces none of those outcomes. The difference is in the design choices.