Phishing test or awareness training? What works best?

Written by Anders Schultz-Møller

Research shows that continuous, targeted IT security and awareness training outperforms one-off phishing tests when it comes to behavioral change, reporting culture and security awareness. According to a Report from Stanford University 88% of data breaches are due to human error, highlighting the need for effective training. But what does this mean for your security strategy? And how can you avoid the negative side effects that many test-based approaches bring?

In this article, we review the evidence behind both approaches and give you concrete recommendations to strengthen your organization’s cyber security without creating guilt or stress among employees.

Why phishing phishing test alone is not enough

Phishing tests may seem like the obvious solution. They are simple to implement, provide measurable results and seem immediately effective. But research reveals a more complex picture.

Verizon’s Data Breach Investigations Report (DBIR) consistently shows that phishing and pretexting are behind 44% of all social attacks. At the same time, the report highlights user training as a critical security control – not as a standalone test, but as an integral part of a broader security strategy.

UK’s National Cyber Security Center (NCSC) states that phishing simulations should serve as learning tools rather than fear-inducing exams. Their guidance points out that test-based methods without follow-up training often lead to lower reporting rates and a blame culture.

The hidden costs of testing cultures

Improperly implemented phishing tests can do more harm than good. According to a Survey from Tessian 43% of employees feel stressed or embarrassed when they fail a phishing test. Research documents that this approach can lead to:

• Increased stress and anxiety around digital work tasks

• Lower reporting rate of suspicious activity (Tessian)

• Resistance to security initiatives in general

A systematic review published in the Journal of Cybersecurity concludes that the impact of training critically depends on its design and organizational integration. One-off tests without follow-up learning have limited long-term impact and can lead to uncertainty among employees.

What awareness training can do better

Effective awareness training is about more than just recognizing phishing emails. It’s about creating a culture where employees feel equipped and motivated to act appropriately in security situations.

Broader channel coverage

Cyber threats are becoming increasingly sophisticated and come through more channels than just email:

• Vishing (voice phishing): Phone-based scam calls

• Smishing (SMS phishing): Fraud through text messages

• Chat-based phishing: Through Teams, Slack or social media

According to IBM’s X-Force Threat Intelligence Index alternative channels such as SMS and chat are now used in 31% of phishing attempts. An effective IT security training must equip employees to deal with threats across all channels.

Personalized learning delivers results

Personalized training is more effective than generic campaigns. ETH Zurich’s study shows that personalized awareness programs reduced employee vulnerability to phishing by 61%. The key is to personalize the training:

• Employee roles and responsibilities

• Previous security incidents in the organization

• Specific threats to the industry

Focus on reporting and escalation

Successful awareness training should promote prompt reporting and proper escalation of suspicious activities. According to a Report from Forrester Companies with strong reporting cultures report phishing attacks 37% faster, reducing damage. This requires:

• Clear procedures for what to report and how

• Psychological safety so employees dare to report without fear of punishment

• Quick feedbackThat recognizes and rewards correct behavior

How to design effective IT security training

Based on research and best practices, we recommend this approach for IT security training course design:

1. Start with risk assessment

Identify the specific threats your organization faces. According to PwC’s Global Digital Trust Insights organizations that base their training on a risk assessment are 2.5 times better at identifying and mitigating threats.

2. Build training around scenarios

Use realistic situations that employees can recognize from their daily work. This increases the relevance and applicability of the learning.

3. Implement continuous learning

Training should be an ongoing process. Deloitte’s report shows that companies with monthly awareness initiatives experienced 70% fewer clicks on phishing links compared to those who only trained annually.

4. Measure the right thing

Instead of focusing on mistakes, measure positive indicators like:

• Reporting rate: How many suspicious emails are reported?

• Time to report: How quickly do employees respond?

• Improvement over timeRepeated errors per employee

• Cross-channel coverage: Do employees report threats across all threat channels?

Take the next step towards better cybersecurity

Effective cybersecurity training requires a balanced approach that combines continuous learning with targeted practice. Instead of choosing between phishing tests and awareness training, build a program that integrates both elements constructively.

Remember, IT security is about people, not just technology. By investing in meaningful training that builds employee confidence and skills, you’re building the strongest line of defense against modern cyber threats.