2LRN4 security awareness platform
Research Report · Literature Review

The Attention Problem

Why phishing simulations alone do not make employees better at recognizing phishing, and which approach is actually supported by research.

Published 6 June 2026 Version 1.0 Reading time 14 min License CC BY 4.0

In brief

  1. A falling click rate does not mean employees have become better at recognising phishing. Click behaviour is determined more by the difficulty of the phishing email than by the training received, and sending ever harder simulations mainly measures how convincing your own phishing email was.
  2. Training mainly increases employees' knowledge and attitude. Whether that also translates into behaviour depends on the design: passive awareness campaigns change little, whereas active, repeated and personalised training does influence behaviour. With phishing, there is the added factor that it is more of an attention problem than a knowledge problem.
  3. The science points to a layered approach: make the attack technically impossible with phishing-resistant authentication, use employees as a collective reporting sensor, design any training for behaviour, and limit the damage in case something does go wrong.

Phishing is a persistent problem, and the most common response to it is the phishing simulation: a fake message that tests whether employees fall for it. In practice this gives rise to a pattern in which organisations that only simulate want to send ever harder messages. The success of such a programme is then measured mainly by how convincing your own phishing email was.

The question of whether employees actually learn to recognise phishing better as a result remains unanswered. This report sets out what the scientific research shows about this, and which approach follows from it.

About this study

Type
Literature review based on peer-reviewed research and authoritative standards.
Sources
Four large-scale field studies, a meta-analysis of 69 studies, and guidelines from NIST and CISA.
As of
June 2026.

01 · FindingThe click rate does not measure what it appears to measure

A falling click rate is quickly interpreted as proof that employees have improved. A large-scale reproduction study shows, however, that it is mainly the difficulty level of the phishing email that determines click behaviour (Rozema and Davis, 2025). Measured with the NIST Phish Scale, the click rate rose from about 7 percent for the easy messages to about 15 percent for the difficult ones. A harder simulation that catches more people therefore primarily shows that the message was harder, not that the employees have got worse.

On top of this, in the largest study to date the share of employees who fell for the messages actually increased over time rather than decreasing. This was a study in which participants were assigned at random, a so-called randomised controlled trial, among more than 19,500 employees of UC San Diego Health (Ho et al., 2025). Repeated simulations can teach employees to recognise the test emails, without their also recognising real, new phishing any better. This is precisely where the core of the problem lies: recognising a test email is something other than recognising real phishing.

The difficulty of the phishing email determines click behaviour

Click rate by difficulty level

Figure 1 The click rate more than doubles when the phishing email is harder, regardless of the training received. Source: Rozema and Davis (2025), measured with the NIST Phish Scale.

02 · FindingFrom knowledge to behaviour: the design is decisive

Training demonstrably increases employees' knowledge and attitude. This emerges strongly from the meta-analysis of 69 studies by Leiden University (Prümmer, van Steen and van den Berg, 2024): the effect on knowledge and attitude is large. On actual behaviour, however, the average effect is small. That difference is no coincidence, but a well-known finding from behavioural science: knowledge is a precondition for safe behaviour, but not enough on its own. The Behaviour Change Wheel shows that besides knowledge, motivation and the opportunity to do the right thing are also needed (Michie, van Stralen and West, 2011).

The average also conceals large differences, and these lie above all in the design of the training. Awareness campaigns that merely disseminate information change little (Bada, Sasse and Nurse, 2015). Training that is active, repeated and personalised, by contrast, does affect behaviour. In a controlled experiment, a game format improved not only attitude and intention but also reported behaviour, compared with a game without security content (van Steen and Deeleman, 2021). The conclusion is therefore not that training does not work, but that the form determines whether knowledge is also translated into behaviour.

Knowledge is a precondition, not a guarantee

The COM-B model from the Behaviour Change Wheel

Figure 2 Safe behaviour only arises when knowledge and skill (capability), motivation (the will), and the opportunity to do the right thing come together. Knowledge alone is not enough. After Michie, van Stralen and West (2011).

Strong effect on knowledge, small average effect on behaviour

Effect size (Cohen's d) with confidence interval

Knowledge and attitude Total and behaviour

Figure 3 The effect on knowledge and attitude is large (d = 1.02). On actual behaviour the average effect is small (d = 0.36), but that average is strongly determined by the design of the training. Source: Prümmer, van Steen and van den Berg (2024).

03 · ExplanationPhishing is an attention problem, not a knowledge problem

The explanation for why more knowledge does not always help comes from two studies by a research group at ETH Zürich. In their largest experiment, which lasted fifteen months and involved nearly 15,000 employees, it turned out that the embedded training did not make employees more resilient and in some cases even had a counterproductive effect. By embedded training we mean the short explanation someone is shown after clicking on a test email (Lain, Kostiainen and Čapkun, 2022). In the follow-up study, which was awarded a prize at the ACM conference on computer and communications security, the authors investigated where that small effect came from (Lain et al., 2024). The conclusion was sobering: the effect came from the periodic reminder of the threat, and not from the content of that short explanation, which most employees barely read.

Phishing is more of an attention problem than a knowledge problem, even among the most susceptible employees.

Finding by Lain and colleagues (2024), ETH Zürich

This insight changes the whole approach. If the problem is not that employees know too little, but that at the wrong moment they briefly fail to pay attention, then there is little point in teaching them even more. Someone who is distracted at such a moment will not recognise even a good phishing email, however many modules they have completed. The solution therefore lies less with the alertness of the individual employee, and more with the technical environment and the working practices around it. By this we mean systems that catch a mistake before it causes damage, and processes that let a suspicious message be reported quickly and rendered harmless.

04 · ApproachA different approach: layered and evidence-based

When the vigilance and knowledge of the employee are not the decisive factors, the research points to a layered approach. The idea behind it is to make the attack fail before a mistake can cause damage, and to treat human alertness as the thinnest and last layer rather than as the first line of defence.

A layered, evidence-based approach

From technical measures to individual vigilance

Figure 4 A conceptual representation. The measures with the greatest effect are technical in nature. Individual vigilance is the thinnest layer, the one you should rely on last and burden least.

  1. Make the attack technically impossible.Phishing-resistant authentication, such as FIDO2 or WebAuthn and keys based on PKI, binds the login to the real domain. A fake site therefore receives no valid response, regardless of who clicks on it. NIST places this form at the highest assurance level and CISA calls it the standard (NIST SP 800-63B; CISA, 2022).
  2. Let fewer phishing emails arrive and warn about the rest.Measures against sender spoofing (DMARC, DKIM and SPF), filtering and warnings on suspicious email relieve the burden on the employee's attention. The ETH study showed that such warnings work well (Lain et al., 2022).
  3. Use employees as a collective sensor.A reporting button turns employees together into a detection layer that quickly makes new campaigns visible (Lain et al., 2022). Phishing simulations are ideally suited to practising that reporting reflex, provided you steer on the reporting rate and on the time between seeing and reporting, and not on the click rate.
  4. Design the training for behaviour rather than for knowledge.Short, repeated and context-tailored reminders work better than long courses, and interactive and playful forms have a greater effect on behaviour (Prümmer, van Steen and van den Berg, 2024). Effective training is, moreover, continuous and tailored to the employee, rather than one-off and generic (Jampen et al., 2020).
  5. Limit the damage if something does go wrong.Assume that some clicks will succeed, and ensure with least privilege, segmentation, monitoring and a rapid response that one mistake does not grow into a full breach.

Finally, a point about measurement. The researchers behind the largest experiment argue for measuring, as in medical research, with random assignment which measure removes the most risk, instead of steering on click figures or on the difficulty of your own phishing email (Ho et al., 2025). The question is therefore not how convincing you can make a fake message, but how much real resilience a measure delivers per euro invested.

And the phishing simulation itself?

Phishing simulations are not pointless. The criticism in this report applies to one way of using them: the recurring test that is only meant to catch employees out, that is judged on the click rate and made ever harder. Used differently, they are genuinely valuable. They are ideally suited to practising the reporting reflex, that is, the behaviour in which someone immediately reports a suspicious message and thereby contributes to the collective sensor. In addition, they work as a periodic reminder that brings the threat back to attention for a moment, and as a sober baseline measurement to see where the organisation stands. The conditions for this are clear: steer on the reporting rate and on the time between seeing and reporting rather than on the click rate, do not punish anyone, do not ramp up the difficulty level as an arms race, and keep the messages realistic and fair.

05 · ConclusionNot more and harder, but different

Phishing simulations do not, in themselves, demonstrably make employees better at recognising phishing, and ramping up the difficulty level shifts attention to the wrong metric. The scientific research does not point to more or harder simulations, but to a layered approach. That approach makes the attack fail technically, detects it quickly through reporting, and supports behaviour with well-designed, repeated and active training instead of passive knowledge transfer. Training and simulations retain a clear role within this, as long as they are aimed at behaviour and do not grow into an arms race with your own employees.

Limitations

  • This report is a literature review that summarises existing scientific research, and contains no new original research.
  • The cited studies were carried out in specific organisations and contexts, so the effects may differ from one environment to another.
  • Behaviour is difficult to measure, and not every study uses the same outcome measure, which makes a direct comparison harder.

Sources

  1. Bada, M., Sasse, A. M., and Nurse, J. R. C. (2015). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? International Conference on Cyber Security for Sustainable Society. arxiv.org/abs/1901.02672
  2. Cybersecurity and Infrastructure Security Agency (CISA) (2022, revised 2024). Implementing Phishing-Resistant MFA. cisa.gov/MFA
  3. Ho, G., Mirian, A., Dameff, C., et al. (2025). Understanding the Efficacy of Phishing Training in Practice. IEEE Symposium on Security and Privacy 2025. people.cs.uchicago.edu
  4. Jampen, D., Gür, G., Sutter, T., and Tellenbach, B. (2020). Don't click: towards an effective anti-phishing training. A comparative literature review. Human-centric Computing and Information Sciences, 10:33. doi.org/10.1186/s13673-020-00237-7
  5. Lain, D., Kostiainen, K., and Čapkun, S. (2022). Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. IEEE Symposium on Security and Privacy, 842 to 859. arxiv.org/abs/2112.07498
  6. Lain, D., Jost, T., Matetic, S., Kostiainen, K., and Čapkun, S. (2024). Content, Nudges, and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training. ACM CCS 2024. doi.org/10.1145/3658644.3690348
  7. Michie, S., van Stralen, M. M., and West, R. (2011). The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation Science, 6:42. doi.org/10.1186/1748-5908-6-42
  8. National Institute of Standards and Technology (NIST). Digital Identity Guidelines, SP 800-63B and SP 800-63-4. csrc.nist.gov/projects/digital-identity-guidelines
  9. Prümmer, J., van Steen, T., and van den Berg, B. (2024). Assessing the effect of cybersecurity training on end-users: A meta-analysis. Computers & Security, 150, 104206. doi.org/10.1016/j.cose.2024.104206
  10. Prümmer, J., van Steen, T., and van den Berg, B. (2024). A systematic review of current cybersecurity training methods. Computers & Security, 136, 103585. doi.org/10.1016/j.cose.2023.103585
  11. Rozema, A. T., and Davis, J. C. (2025). Anti-Phishing Training (Still) Does Not Work: A Large-Scale Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale. arxiv.org/abs/2506.19899
  12. van Steen, T., and Deeleman, J. R. A. (2021). Successful gamification of cybersecurity training. Cyberpsychology, Behavior, and Social Networking, 24(9). doi.org/10.1089/cyber.2020.0526

Citation

2LRN4 (2026). The Attention Problem. Research Series 2LRN4. Available under CC BY 4.0.
CC BY 4.0 Free to share and adapt, with attribution