Security awareness training is widely deployed — and widely ineffective. Annual compliance-driven training that checks a box does not change behaviour. Repeated low-quality phishing simulations create fatigue without improving detection. The evidence for most traditional awareness training approaches is weak.
What Does Not Work
Annual one-hour online modules with multiple-choice quizzes. Phishing simulations designed to catch and embarrass staff rather than educate. Generic content not relevant to the actual threats facing the organisation. Training that treats security as an IT problem rather than an organisational responsibility.
What Does Work
Short, Frequent, Relevant Content
Frequent short interventions — five minutes monthly rather than an hour annually — produce better retention and behaviour change. Content should reference the specific threats facing the organisation: the type of phishing emails your sector receives, the BEC patterns targeting Australian businesses, the specific data your team handles.
Simulated Phishing With Immediate Feedback
Phishing simulations are more effective when they provide immediate, non-punitive feedback — explaining what signals the simulated phishing email contained, what the correct response was, and where to report suspicious messages. Simulations that just track click rates without teaching miss the point.
Executive Sponsorship
Security awareness works better when leadership visibly participates. Executives who click links in phishing simulations and acknowledge it publicly create permission for staff to admit mistakes and ask questions. Security culture flows from the top.
Technical Controls Reduce the Stakes of Human Error
The most important role of technical security controls is reducing the consequence of human error. Email filtering, safe links, MFA, and conditional access limit what an attacker can achieve even after a successful phishing attempt. Training and technical controls work together — neither alone is sufficient.
