New research confirms what practitioners have long suspected: the “human firewall” strategy doesn’t work the way we hoped.
The ritual is familiar to anyone who has spent time in a corporate environment: the email announcing mandatory security awareness training, the click-through modules explaining how to spot suspicious links, the quiz at the end, and the certificate confirming completion. Periodically a simulated phishing email arrives to test whether the lessons stuck, and those who click receive a gentle warning before being cycled back through additional training. The whole process repeats annually, generating compliance documentation that auditors accept as evidence of due diligence.
What this investment actually produces in terms of protection is a question security teams have debated for years: do employees genuinely become more resistant to phishing, or do they simply learn to pass the simulations? A growing body of controlled research is now providing answers, and the findings challenge whether training delivers the behavioral change organizations assume it does.
What the research actually found
A study published at CCS 2024 by researchers at ETH Zurich tracked thousands of employees over multiple simulated phishing campaigns and reached a conclusion that challenges the industry’s core assumptions about awareness programs. The embedded training that most organizations rely on, which immediately redirects employees to educational content after they click a simulated phishing link, doesn’t meaningfully reduce vulnerability. The researchers found that employees rarely engaged with the materials: seventy-five percent spent less than a minute on the post-click content, and one-third closed the training page immediately.
What did correlate with improved performance was simply being reminded that phishing simulations were occurring. The nudge effect of knowing tests existed provided more protection than the educational content itself. The researchers concluded that phishing is fundamentally an attention problem, not a knowledge problem, a finding that aligns with research on how attackers exploit cognitive biases to bypass rational evaluation. Even employees who understood the warning signs in theory failed to apply that knowledge when distracted, busy, or emotionally engaged with a message.
A separate large-scale study at a U.S. financial technology firm reinforced these findings with even starker data. Tracking 12,511 employees, researchers compared a control group against both traditional lecture-based training and interactive phishing exercises. Neither training approach produced statistically significant improvements in click rates or reporting rates. The researchers explicitly noted that compliance requirements, rather than proven effectiveness, appear to drive adoption of these programs.
The University of South Florida’s MIS Quarterly study published in late 2025 added another dimension: the just-in-time training model may actually backfire. Catching employees at the exact moment of failure can trigger defensive reactions rather than learning, and employees who felt exposed became resistant rather than receptive. The researchers found that sharing lessons with everyone after a simulation ended, rather than only with those who failed, produced more lasting behavior change.
The AI problem training can't solve
Whatever marginal protection training might provide is eroding as attackers adopt AI tools that eliminate the signals employees were trained to detect. The grammatical errors, awkward phrasing, and generic content that once marked phishing messages have largely disappeared, and research comparing AI-generated phishing to human-crafted attacks has found dramatic differences in effectiveness. In controlled studies conducted in 2024, AI-generated phishing emails achieved click-through rates of 54% compared to 12% for traditionally crafted messages, a gap that reflects how thoroughly AI has closed the quality differential that training programs were designed to exploit.
The scale problem compounds the quality problem. Security researchers estimate that the majority of phishing emails now incorporate AI in some form, whether for text generation, personalization, or obfuscation. Traditional spear-phishing required significant human labor to research targets and craft convincing messages, but AI collapses those economics and enables personalized attacks at mass scale. A threat actor can now generate thousands of unique, contextually relevant emails targeting specific employees across hundreds of organizations for roughly the cost of a single traditional campaign.
The ETH Zurich study documented which lure themes produced the highest click rates, and the spread was striking: emails referencing vacation policy changes achieved 30.8% click rates while generic password update requests landed at under 2%. That gap illustrates why social engineering training struggles. Attackers choose topics that bypass the rational evaluation training tries to build, and when an email appears to come from HR and references something employees genuinely care about, the trained response to scrutinize URLs and sender addresses yields to the instinctive response to act quickly.
What happens over time
Perhaps the most troubling finding concerns what happens over extended periods. The ETH Zurich team tracked employees across eight months of simulated phishing campaigns, and rather than building resilience through repeated exposure, susceptibility increased: over fifty percent had clicked at least once by the study’s end, up from just ten percent in the opening month.
This trajectory contradicts the core premise of awareness programs: that practice builds competence. Instead, the data suggests diminishing returns as employees tune out repetitive warnings and simulations. A European study tracking 1,300 employees across twenty companies found that new hires accounted for a disproportionate share of failures until they completed mandatory training, after which their performance improved. But improvement plateaued rather than continued, and emails appealing to helpfulness or cooperation maintained their effectiveness even among trained populations.
Industry benchmarks from training vendors tell a more optimistic story, with claims that sustained programs can reduce phishing susceptibility by 40% in ninety days and up to 86% within a year. But these figures typically measure performance on simulations that employees know are coming, not behavior against real attacks that arrive unexpectedly. The academic research measuring actual click rates in operational environments showed no measurable effect, or close to it.
Rethinking the defense model
None of this suggests that organizations should abandon security awareness training entirely. Employees benefit from understanding that phishing exists and that they should report suspicious messages, and the research consistently found that reporting rates improved even when click rates didn’t, providing security teams with early warning about campaigns targeting their organization.
But the findings argue for a fundamental reallocation of defensive resources. When training budgets grow while training effectiveness stays flat, something is misaligned. The gap between simulated phishing and real-world attacks will only widen as AI enables perfect grammar, brand impersonation that survives visual inspection, and personalization that references actual business relationships.
The alternative isn’t a better training program. It’s accepting that the attack surface has moved beyond what human vigilance can reliably protect. When lookalike domains are literally indistinguishable from legitimate ones, when attackers host phishing on trusted platforms that bypass reputation filtering, when OAuth phishing captures tokens after MFA succeeds, when AI-generated content contains no red flags to detect, the “human firewall” model reaches its structural limits.
The Bottom Line
What remains is infrastructure-level defense: detecting and dismantling phishing infrastructure before it reaches users, monitoring for credential exposure that indicates past compromises, and building account takeover protections that don’t depend on employees making correct split-second decisions under time pressure. Training programs can serve compliance mandates and provide baseline awareness, but the research makes clear they cannot carry the weight of phishing defense alone.
