Security Awareness Training: Why It Matters and How to Build a Programme That Works

TL;DR

The majority of successful cyberattacks start with a human mistake. A phishing email that gets clicked, a password entered on a fake login page, a call from someone pretending to be IT support. Security awareness training exists to close that gap, but most programmes do not work because they mistake information delivery for behaviour change. This guide covers what actually reduces risk, which formats create lasting habits, and how to build a programme that your staff will remember when it counts.

Why this is a different kind of security problem

Technical security controls have clear failure modes. A firewall is misconfigured. A patch is missing. A vulnerability is exploitable. You can find and fix these with the right tools and expertise.

Human behaviour does not work the same way. You cannot patch a person. A staff member who clicked a phishing link last month may click one again next month, not because they are careless but because the attacker's message was convincing and they were busy. Reducing that risk requires building habits, not just knowledge. That distinction is what separates effective security awareness programmes from expensive checkbox exercises.

What the research says about what works

The evidence on security awareness training is clear on two points.

First, training works. Organisations that run structured, recurring awareness programmes consistently report lower phishing click rates, faster incident reporting, and fewer human-error related incidents than organisations that do nothing or rely on annual compliance training alone.

Second, a single annual training does not work. Knowledge fades. Studies show that phishing click rates return to near-baseline within four to six months of a one-time training session. Without reinforcement, the investment in training produces diminishing returns within weeks.

The formats that consistently produce measurable behaviour change share three characteristics: they are repeated throughout the year, they use realistic scenarios rather than abstract theory, and they provide immediate feedback when someone makes a mistake.

The threat landscape your staff actually faces

Attackers have moved well beyond email. Your staff are being targeted across multiple channels simultaneously, and most organisations train for only one of them.

Email phishing

Still the dominant vector. AI-generated phishing emails are now indistinguishable from legitimate communications in many cases. Generic warning signs, mismatched domains, poor grammar, are no longer reliable indicators. Attackers now use your organisation's actual email signatures, reference real colleagues, and time their campaigns around company events. Your staff need to recognise contextual anomalies, not just obvious red flags.

SMS and messaging platforms

Smishing attacks via SMS, WhatsApp, and Teams have grown significantly. Staff are less suspicious of messages on their personal devices and tend to act faster without the same scrutiny they apply to email. Delivery notifications, urgent payment requests, and IT helpdesk impersonation are the most common patterns.

Voice calls (vishing)

Vishing remains highly effective because people are socially conditioned to be helpful on phone calls. An attacker posing as IT support, a supplier, or a senior manager can extract credentials, authorise payments, or gain physical access in a single call. AI voice cloning has made this attack category significantly more dangerous in the past two years.

QR codes and physical vectors

QR code phishing has increased sharply. Malicious QR codes are placed in printed materials, on office printers, in email signatures, and in physical spaces. Because QR codes bypass most email security filters, they are increasingly used to deliver credential harvesting pages. Staff who know to check a URL before clicking often scan a QR code without any scrutiny at all.

What an effective security awareness programme looks like

Effective programmes are not a single product or a single event. They are a structured combination of formats deployed throughout the year, each reinforcing the same core behaviours through different contexts.

Phishing simulations with in-context feedback

Realistic phishing simulations that mirror current attack techniques are the most consistently effective tool for measuring and changing behaviour. The critical element is what happens when someone clicks. Immediate, non-punitive feedback, explaining what the simulation tested and what to look for next time, produces far better outcomes than delayed training modules or management reports.

Simulations should be run at least quarterly and should cover multiple channels: email, SMS, and voice. Staff who have learned to spot email phishing may be entirely unprepared for a vishing call or a malicious QR code.

Game-based and scenario-driven learning

Traditional e-learning modules produce low engagement and poor retention. Game-based formats that place staff in realistic attack scenarios, where they must make decisions and see the consequences, produce significantly better outcomes. The emotional engagement of making a wrong choice in a safe environment creates stronger memory traces than passive content consumption.

Hands-on experiential training

Live, hands-on training that physically demonstrates attack techniques creates the highest retention rates. When a staff member has personally experienced what a USB drop attack looks like, or sat through a simulated vishing call, or seen how quickly a social engineer can extract information in a conversation, the learning does not fade the way e-learning does.

Targeted training for high-risk roles

Not all staff carry equal risk. Finance teams, executive assistants, HR staff, and anyone with privileged system access are targeted disproportionately. A one-size programme misses this. High-risk roles need more frequent simulations, deeper scenario training, and specific coverage of the attack types most relevant to their function.

Swishing: multi-channel awareness for how attackers actually operate

Swishing is a security awareness game developed by Sectricity that trains staff to recognise phishing attempts across all the channels attackers actually use: email, SMS, voice calls, and QR codes.

Unlike standard phishing training that focuses on one channel and rewards passive completion, Swishing uses competitive game mechanics and scenario-based decision-making to create genuine engagement. Staff move through realistic attack scenarios, make choices, receive immediate feedback, and build pattern recognition across attack types, not just the specific email format they trained on last year.

Swishing is particularly effective for organisations that have already run basic phishing simulations and found that click rates have plateaued. When staff have learned to spot the obvious tests, the programme needs to evolve to match how attacks actually look. Swishing covers that next level.

The Security Awareness Escape Truck: experiential training at your location

The Security Awareness Escape Truck is a mobile escape room that brings hands-on security training directly to your office or event. Teams work through realistic attack scenarios in a fully immersive environment, making decisions under time pressure and seeing immediately what works and what does not.

The format is particularly effective for leadership teams who need to experience security decisions rather than be briefed on them, and for organisation-wide culture change initiatives where management buy-in is essential. When senior leadership has personally experienced a social engineering attack, security awareness becomes a board-level priority rather than an IT department concern.

Common mistakes in security awareness programmes

Most organisations make the same set of predictable errors.

Treating training as a compliance task. Annual e-learning that exists to tick a box does not change behaviour. If your staff know the training exists to satisfy an auditor rather than to protect them, engagement will be minimal and retention will be worse.

Using punishment as the primary feedback mechanism. Naming and shaming staff who click phishing simulations creates fear without learning. The most effective response to a clicked simulation is immediate, private, educational feedback, not a disciplinary process. Fear makes people defensive, not more vigilant.

Training only on email. If your simulations and training cover only email phishing, you are preparing your staff for one attack vector while leaving them unprepared for smishing, vishing, QR code attacks, and physical social engineering. Attackers adapt. Your training needs to as well.

No measurement between training cycles. If you run training in January and do not measure again until December, you have no visibility into whether anything changed. Regular simulation data, tracked across departments and roles, tells you where risk actually lives and whether your programme is working.

Treating all staff identically. A receptionist, a finance director, and a software developer face very different attack profiles. A programme that treats everyone the same misses the high-risk concentrations that attackers target most aggressively.

Compliance requirements: NIS2 and ISO 27001

NIS2 Article 21 explicitly requires essential and important entities to implement measures covering human resources security and security awareness as part of their risk management obligations. A documented, recurring awareness programme is the most defensible way to demonstrate compliance to a national regulator or auditor.

ISO 27001:2022 Annex A control 6.3 requires organisations to ensure that all staff and relevant contractors receive appropriate awareness, education, and training in information security. Certification auditors expect evidence of a programme that is documented, recurring, and role-appropriate, not a single annual module.

A well-structured awareness programme, with measurable outcomes such as tracked simulation click rates and documented training completion, serves both frameworks simultaneously. It also provides concrete evidence of security culture maturity that increasingly matters in supplier assessments, insurance applications, and contract negotiations.

How to build a programme that works

A practical programme does not need to be complex. It needs to be consistent, measurable, and varied enough to maintain attention throughout the year.

Start by measuring your current baseline. Run a phishing simulation before any training to establish where your organisation actually stands. Click rates, credential submission rates, and reporting rates vary enormously across organisations and roles. Without a baseline, you cannot demonstrate improvement.

Segment your audience. Identify your highest-risk roles and design more intensive training for those groups. Finance, HR, executive support, and privileged IT accounts deserve targeted scenarios that reflect the specific attacks they face.

Plan a 12-month calendar with varied touchpoints. Quarterly simulations across multiple channels, at least one immersive or experiential training event, regular short-form content such as security tips or scenario videos, and a year-end measurement cycle that feeds back into the following year's planning.

Make reporting easy and rewarding. Staff who spot and report suspicious messages are your early warning system. If reporting is complicated or if reporters feel ignored, they stop. A simple, low-friction reporting mechanism and visible acknowledgement of reports changes the culture over time.

FAQ

What is security awareness training?

Security awareness training is a structured programme that teaches employees to recognise and respond correctly to cyber threats such as phishing emails, vishing calls, social engineering, and unsafe digital behaviour. Effective training combines knowledge with repeated practice, so that the right response becomes a habit rather than a conscious decision.

Why does annual e-learning fail to reduce phishing risk?

Annual e-learning fails because knowledge fades within weeks of training and a single module cannot create lasting behavioural change. Research consistently shows that click rates on phishing simulations return to baseline within 4 to 6 months of a one-time training. Effective programmes use repeated, varied touchpoints throughout the year to maintain vigilance.

What is a phishing simulation and how does it work?

A phishing simulation sends realistic but harmless fake phishing emails to your staff. When someone clicks a link or submits credentials, they receive immediate in-context feedback rather than a punishment. Simulations measure click rates, credential submission rates, and reporting rates over time. Combined with targeted follow-up training, they are one of the most effective tools for reducing phishing susceptibility.

What is Swishing and how is it different from standard phishing training?

Swishing is a multi-channel phishing awareness game developed by Sectricity that trains staff to recognise phishing across email, SMS, voice calls, and QR codes. Unlike standard e-learning, Swishing uses game mechanics, scenario-based learning, and real attack simulations to create engagement and retention. It is designed for teams that have outgrown annual click-training and need a programme that reflects how attackers actually operate today.

What is a Security Awareness Escape Truck?

The Security Awareness Escape Truck is a mobile escape room experience that brings security awareness training directly to your office or event. Teams work through realistic attack scenarios in a hands-on format that creates far higher engagement and retention than classroom or online training. It is particularly effective for leadership teams, onboarding programmes, and security culture change initiatives.

Does security awareness training satisfy NIS2 or ISO 27001 requirements?

Yes. NIS2 Article 21 requires organisations to implement measures covering human resources security and security awareness. ISO 27001 Annex A control 6.3 requires organisations to ensure staff receive appropriate security awareness, education, and training. A documented, recurring security awareness programme with measurable outcomes is the most defensible way to demonstrate compliance with both frameworks.

Related services and resources

Sectricity offers a full range of security awareness services across Belgium, the Netherlands, and the UK. Our flagship Swishing programme covers multi-channel phishing awareness across email, SMS, voice, and QR codes. For immersive on-site training, the Security Awareness Escape Truck brings hands-on scenarios directly to your team. We also provide social engineering assessments and phishing simulations to measure your current exposure. Not sure where to start? Begin with a free security scan.