Forgetting Curve
28 October 2022 / Facts

Traditional cybersecurity training leaves the door open for hackers

Cybersecurity training is only effective if employees can remember it. Unfortunately, this is rarely, if ever the case. Even 150 years later, 19th-century psychologist Hermann Ebbinghaus can still explain why your employees will let hackers in if they are not structurally trained.


In many organisations, cybersecurity training, or Security Awareness Training, gets occasional attention. They host a webinar, provide an onboarding program with some useful tips & tricks, or they host a quarterly generalised phishing simulation. It’s a start, but far from enough.

The Forgetting Curve

In the late 19th century, psychologist Hermann Ebbinghaus studied how people forget - and how we remember - and found that our brain leaks information according to a predictable pattern. On the one hand, this is thought to be due to the fact that we attach more importance to information we are repeatedly exposed to. On the other hand, we are more likely to push information aside if we don't find it that interesting. Unfortunately, for many employees, security awareness falls into that uninteresting category – though it could (and should) be different!

An important lesson security awareness experts can draw from Ebbinghaus' work is that repetition is crucial to an impactful training strategy. Traditional security awareness methods do not suffice because they train in an inconsistent manner, causing all the knowledge gained to be quickly forgotten. This can cost a lot of money to companies because they give a false sense of security, leaving the organisation vulnerable. Consider this: in 2021 alone, $6.9 billion was stolen worldwide through cybercrime (Source: FBI, Internet Crime Report, 2021).

So what does work? 3 simple steps

1. Periodicity and variety

In security awareness training, "spaced learning" is your best friend. This is the concept that you only become proficient at something by rehearsing it frequently, preferably in diverse ways. For example, exclusively bombarding your users with articles pointing out the dangers of their digital lives does not do much good.

On the other hand, it doesn't make sense either to bury your employees in generic phishing simulations without a decent follow-up. Hoping they will be able to distil the importance of their contribution to their organisation's cybersecurity strategy on their own is wishful thinking. You need an integrated approach to instil a sense of urgency that has the desired practical effect.

Every organisation's strategy must consist of both a theoretical component explaining concepts and a practical component that transforms the acquired knowledge into practical experience. It is only by actively linking theory to real-life examples that people learn to deal with digital dangers. Finally, to make it completely effective, you need regular refresher training: the periodicity should not exceed two weeks. For example, Phished makes a bi-weekly training session available to employees, paired with automatic, personalized phishing simulations putting the knowledge to practice.

Adobe Stock 387699262

2. Relevant content

It seems obvious, but in practice, it's one of the most common complaints for employees who have to take cybersecurity training: they don't find it relevant to their situation. The more abstract the content, the more it becomes a distant concept. Training with examples from your employees' world helps them understand that everyone is a potential target for hackers.

It is important to take your employees by the hand and explain to them - or even show them - what is at stake for them. Everything starts with the individual; it’s only when they understand what is at stake that it will become clear to them what impact one person's mistake can have on an entire organisation. You don't have to take this “by the hand approach” literally; it can be completely automated. For example, Phished adapts the content of training and simulations per individual recipient. This way, they receive relevant and realistic training that considers their level, experience, and position.

3. Interaction activates

Provide sufficient interaction. Put your employees in control and make sure they can make a substantial impact on the organisation. In many companies, for example, people already work with buttons that can flag phishing simulations, but what do they gain from that, besides another star on their record?

Real interaction means giving them the power to stop real phishing before it’s too late. You can do that with a simple button in their inbox, but one that does more than handing out stars. For example, the Phished button immediately quarantines suspicious e-mails so that other employees don't see them appear in their mailboxes. This reporting tool combines perfectly with the practical and theoretical elements they get from other aspects of their security awareness training.

Integrated ecosystem

Above all, it is important to realise that each aspect of a cybersecurity training program is as important as the next one. There is no point in cherry-picking and implementing only what appeals to the IT manager, or what you think employees need.

They must be trained in an all-encompassing way, with attention to every aspect. In this, phishing simulations, training, activation, and data analysis play equal roles. To invest in only one aspect is to lose out on the others.

A holistic view on cyber awareness training

Want to know more? Request a demo and discover how Phished educates your employees in a holistic way. By combining AI-driven, personalized phishing and smishing simulations with snackable microlearnings, active reporting and threat intelligence into an automated whole, Phished guarantees permanent behavioural change. This is how you build a working Human Firewall quickly and efficiently, making the organisation much more secure.