Kantyra Kantyra

← All articles

Resolve

Does awareness training actually change behaviour?

Alain Rees · 10-07-2026 · 7 min read

Almost every organisation does it: an annual awareness training, a quarterly phishing simulation and a poster next to the coffee machine. The question rarely asked alongside it is whether behaviour actually changes. In recent years that question has finally been studied at scale, with tens of thousands of employees in real organisations, and the answer is sobering. For the standard approach, the mandatory annual training with a lesson after every wrong click, the research finds hardly any effect. For a few other things, it does. Strikingly, much of this research comes from Dutch universities.

This article belongs to the Resolve phase of the model behind Kantyra: behaviour is a control, and like every control it must not only exist but also work.

Why does everyone know what to do after the training, and someone still clicks?

The fundamental problem has a name: the gap between knowledge and behaviour. Maria Bada, Angela Sasse and Jason Nurse analysed why awareness campaigns fail and arrived at a simple diagnosis: knowing what is safe does not automatically translate into acting safely, and campaigns built mainly on fear tend to backfire. The Australian validation research around the HAIS-Q, a widely used questionnaire that measures knowledge, attitude and behaviour separately, confirms that picture: knowledge of policy correlates more strongly with attitude than with behaviour. Whoever only tests knowledge after the training is measuring the wrong thing.

Tommy van Steen of Leiden University and colleagues put their finger on the cause. They analysed seventeen government-led awareness campaigns using the toolkit of behavioural science and established that these campaigns lean almost entirely on providing information, while barely using the proven techniques for behaviour change. Most awareness, in short, is not designed to change behaviour. It is then no surprise that it does not.

What do the large field studies say?

Two recent studies, both carried out in real organisations over many months, have sharpened the debate. Researchers at ETH Zurich followed more than fourteen thousand employees of a large company for fifteen months and tested the approach almost every vendor sells: whoever clicks on a simulated phishing mail gets a lesson page on the spot. The result: those lessons did not make the clickers better, and could even make them more susceptible. A follow-up study by the same team unravelled why. What little effect such simulations have comes from the periodic reminder that phishing exists, not from the lesson content, which employees barely read for lack of time. Rewards for good behaviour did not help either.

The second study is, if anything, even more direct. Grant Ho and colleagues ran an eight-month randomised experiment among more than nineteen thousand employees of a large American healthcare organisation and found no significant relationship between having recently completed the annual awareness training and the likelihood of falling for a phishing simulation. Their conclusion leaves little room: standard anti-phishing training probably offers little protective value in practice.

There was one outspokenly positive finding in the Zurich research, and it is instructive. A report button with which employees could forward suspicious mails did work: the collective of employees turned out to be a fast and scalable detection mechanism for new phishing campaigns, with a manageable workload for the security team. Not preventing every click, but seeing the attack early turned out to be the gain. That connects seamlessly to what I wrote earlier about reporting behaviour.

What does change behaviour, then?

The Dutch research gives the answer more relief. Jan-Willem Bullee and Marianne Junger of the University of Twente conducted a meta-analysis of nineteen studies with more than twenty-three thousand participants and found large differences between interventions: some work well, others do nothing at all. The pattern: intensive interventions beat light ones, and a narrow focus beats a broad story. Earlier field research from Twente had already shown that fleeting means fail: warnings and pointing out dangers just before the moment of risk did not reduce the disclosure of personal data, and could even increase it. And a Twente experiment with anti-phishing lessons at primary schools demonstrated the shelf-life problem: recognition rose clearly right after the training, but after four weeks the effect had already disappeared. Training once a year is thereby closer to a ritual than to a control.

What does work is active and repeated. Van Steen and Deeleman showed that a serious game improved not only attitudes but also (self-reported) behaviour, where information leaflets did not. American research added a surprising factor: who delivers the message matters. Factual advice landed best coming from a security expert, while stories about incidents worked most strongly coming from colleagues, people like yourself. And the common thread through everything: repetition. Short, targeted prompts at some regularity beat the annual one-hour sit.

From annual obligation to behavioural strategy

The conclusion from twenty years of research is not that you should stop doing awareness, but that you should stop doing awareness as a standalone obligation. Van Steen recently published a usable five-step framework for this: start from the behaviour you want to change, not from the content you happen to have, choose interventions with a proven working mechanism, and measure behaviour instead of attendance. That is also how I look at it at Kantyra. In the register, awareness is a control like any other, with an owner, an effectiveness test and a test date. The question in that test is not whether everyone completed the e-learning, but whether behaviour shifts: does the number of successful phishing attempts fall, does the number of reports rise, and how quickly does the first report of a new campaign come in? Whoever works with a training partner, as we do with 2LRN4, can simply put those questions to the partner; a good partner wants to be judged on them.

What does this mean for your organisation?

If you take one thing from this article, let it be this: judge awareness by behaviour, not by attendance. Ask yourself three questions. After the training, do you measure anything other than attendance and a knowledge quiz? Is the number of reported suspicious mails rising, and how quickly is a new phishing campaign flagged by your own people? And if an awareness activity has shown no measurable behavioural effect for two years, what is the reason to renew it? The same euros can go to short, targeted and repeated interventions, to a report button with fast feedback, and to technical controls that make the click less damaging. The research is unanimous on this: better a small effect that is really there than a large programme that mainly reassures.

Accountability and sources

This article is a substantiated synthesis of existing scientific research and not independent, peer-reviewed research of its own. Where I interpret or explain, that interpretation is my own responsibility.

  1. Bullee, J.-W. & Junger, M. (2020). How effective are social engineering interventions? A meta-analysis. Information & Computer Security, 28(5). https://doi.org/10.1108/ICS-07-2019-0078
  2. Junger, M., Montoya, L. & Overink, F.J. (2017). Priming and warnings are not effective to prevent social engineering attacks. Computers in Human Behavior, 66. https://doi.org/10.1016/j.chb.2016.09.012
  3. Lastdrager, E., Carvajal Gallardo, I., Hartel, P. & Junger, M. (2017). How Effective is Anti-Phishing Training for Children? Proceedings of SOUPS 2017, USENIX. https://www.usenix.org/conference/soups2017/technical-sessions/presentation/lastdrager
  4. Van Steen, T., Norris, E., Atha, K. & Joinson, A. (2020). What (if any) behaviour change techniques do government-led cybersecurity awareness campaigns use? Journal of Cybersecurity, 6(1). https://doi.org/10.1093/cybsec/tyaa019
  5. Van Steen, T. & Deeleman, J.R.A. (2021). Successful Gamification of Cybersecurity Training. Cyberpsychology, Behavior, and Social Networking, 24(9). https://doi.org/10.1089/cyber.2020.0526
  6. Prümmer, J., Van Steen, T. & Van den Berg, B. (2024). A systematic review of current cybersecurity training methods. Computers & Security, 136. https://doi.org/10.1016/j.cose.2023.103585
  7. Van Steen, T. (2025). Developing a behavioural cybersecurity strategy: A five-step approach for organisations. Computer Standards & Interfaces, 92. https://doi.org/10.1016/j.csi.2024.103939
  8. Lain, D., Kostiainen, K. & Capkun, S. (2022). Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. 2022 IEEE Symposium on Security and Privacy. https://doi.org/10.1109/SP46214.2022.9833766
  9. Ho, G. and others (2025). Understanding the Efficacy of Phishing Training in Practice. 2025 IEEE Symposium on Security and Privacy. https://doi.org/10.1109/SP61157.2025.00076
  10. Lain, D., Jost, T., Matetic, S., Kostiainen, K. & Capkun, S. (2024). Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training. Proceedings of ACM CCS 2024. https://doi.org/10.1145/3658644.3690348
  11. Bada, M., Sasse, A.M. & Nurse, J.R.C. (2019). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? arXiv. https://arxiv.org/abs/1901.02672
  12. Kirlappos, I. & Sasse, M.A. (2012). Security Education against Phishing: A Modest Proposal for a Major Rethink. IEEE Security & Privacy, 10(2). https://doi.org/10.1109/MSP.2011.179
  13. Parsons, K. and others (2017). The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66. https://doi.org/10.1016/j.cose.2017.01.004
  14. Wash, R. & Cooper, M.M. (2018). Who Provides Phishing Training? Facts, Stories, and People Like Me. Proceedings of CHI 2018. https://doi.org/10.1145/3173574.3174066
Want to see how this works in Kantyra?

In a 30-minute demo we walk through the model based on your situation.

Book a demo

More in the Resolve phase