Every year, organisations invest significantly in cyber security awareness training. Completion rates are tracked. Dashboards turn green. Compliance boxes are ticked. And then the phishing simulation goes out, and the click rates barely move.
This is the central paradox of corporate cyber training, and it is one that senior leaders can no longer afford to ignore. The question organisations should be asking is not 'Have our people been trained?' but rather: 'Did the training actually change how they behave in the moment?'
The gap between those two questions is where most security programmes silently fail. Cyber Dexterity's defining mission is to close that gap. The company does not do this by increasing training volume; it does it by providing smarter, hyper-personalised blended learning that is purpose-built to instil lasting behavioural change and foster a genuine culture of cyber resilience.
The compliance trap
Compliance-centric training was designed for a different era. Its goal was demonstrable defensibility, usually for auditors or regulators, that people had been exposed to required content. It was never designed to change behaviour under pressure.
The uncomfortable truth is that traditional security awareness, the annual e-learning module, the static slide deck, the tick-the-box quiz, fails at the most critical moment: when an employee is tired, distracted under deadline pressure, and a well-crafted phishing e-mail lands in their inbox.
Research consistently shows that only 10% of formal training content transfers into sustained on-the-job behaviour. A finding that has held remarkably stable across decades of study.
(BMC Medical, 2018; Grossman & Salas, 2011; Shukla, 2024)
The academic evidence is unambiguous. Research consistently shows that only around 10% to 20% of training content is transferred into on-the-job behaviour. The rest is lost, not because employees are careless, but because the training was never designed to survive contact with reality.
Phishing simulation data tells the same story in practice. When organisations run simulated phishing campaigns after a standard awareness programme, click rates may dip briefly, then return to baseline. The training created momentary awareness, but it did not wire new instincts. The moment of recognition, that critical pause before clicking a suspicious link, simply was not built.
This is the compliance trap: measuring success by exposure rather than by impact and mistaking the activity of training for the outcome of changed behaviour.
Blended learning: The performance evidence
The shift from compliance-centric to behaviour-centric learning is not a matter of philosophy. It is a matter of evidence. And the evidence strongly favours blended learning, but only when it is designed with intent.
A landmark quasi-experimental study by Mansoori et al (2020) conducted across 90 employees in an industrial setting, compared blended learning, pure e-learning and traditional face-to-face instruction across three matched groups. The blended cohort significantly outperformed both alternatives on measurable learning outcomes and course satisfaction. Similar findings were replicated by Ma et al (2022) in a corporate onboarding study, which demonstrated that organisations adopting blended approaches were able to reduce training duration while simultaneously improving evaluation scores.
Yet, the same body of research identifies a persistent challenge: even well-designed blended programmes achieve only moderate transfer to actual job performance. Aguado et al (2011) evaluated a blended teamwork development programme with over 100 professionals using Kirkpatrick's four-level evaluation framework, finding strong results at the knowledge and reaction levels, but only moderate translation into changed workplace behaviour.
The organisations that have moved beyond single-mode training consistently report better results. Not marginally better; significantly better, across both what people retain and how satisfied they are with the experience. When learning is delivered across multiple modalities, each reinforcing the other, the message lands differently. It has more surface area. It reaches people in different contexts, at different moments, in different states of attention.
That gap between knowing and doing is where most training investments quietly dissolve. And in cyber security, it is not an abstract concern. It is the difference between an employee who has sat through a phishing awareness module and one who actually pauses, questions and acts correctly in the moment.
Personalisation: The missing multiplier
If blended learning is the vehicle, personalisation is the engine. And it is precisely where most corporate training programmes are still running on empty.
Hyper-personalisation, in this context, is not about tailoring content to every individual in isolation. It is about designing a learning path that responds intelligently to human behaviour and intervenes with the right modality at the right moment, shifting that behaviour.
The data tells you where the problem lies. Phishing simulation results, assessment scores, engagement patterns – these are not just metrics to report upward. They are diagnostic signals that should actively be reshaping what happens next in the learning journey. When a cohort is breezing through asynchronous content but still clicking on simulated phishing links at the same rate, that is a signal. The modality is not doing the job. Something else is needed.
A real example from Cyber Dexterity's work illustrates this precisely. The company regularly encounters what the industry calls "repetitive clickers" – employees who have completed the standard awareness content multiple times and are still falling for simulated phishing attempts. The instinctive organisational response is to send them through the same module again. It does not work. What does work is removing them from the asynchronous track entirely and placing them into a live virtual masterclass. Human interaction changes everything. Being in a room, even a virtual one, with a facilitator who can challenge their thinking in real-time, with peers who are working through the same patterns, creates a fundamentally different kind of engagement. It is harder to switch off. It is harder to skim. And critically, it reveals the specific reasoning errors that make these individuals vulnerable in ways that a self-paced module never could.
This is what hyper-personalisation means in practice: the learning path bends towards what the behavioural evidence is telling you. Not everyone needs the same intervention. Not every intervention needs to be delivered the same way. And organisations that understand this stop measuring training by volume delivered and start measuring it by behaviour changed.
Wiring instinct under pressure
Understanding why people click on phishing e-mails requires going beyond awareness and into the depths of psychology. In the moment of decision, employees are not consulting a training manual. They are operating on instinct, and that instinct is shaped or misshaped by the social engineering dynamics deliberately embedded in every well-crafted phishing attempt.
Cyber Dexterity recently developed its “STOP Framework” to address this precisely. It is not a checklist. It is a conditioned cognitive pause, a habitual micro-behaviour designed to interrupt the automatic, reactive processing that social engineers exploit.
The framework is grounded in dual-process theory, the well-established psychological principle that human decision-making operates across two systems: fast, automatic, emotionally driven responses (System 1) and slower, deliberate, analytical reasoning (System 2). Phishing attacks deliberately target System 1. They manufacture urgency, authority and fear to bypass critical thinking. STOP is the mechanism by which Cyber Dexterity trains people to engage System 2 before they act.
But a framework only delivers value if it becomes instinctive. And instinct is built through repetition, contextualisation and emotional engagement, not through a single slide in an annual awareness module. This is where the design of the learning experience becomes everything.
Cyber Dexterity refers to this as “the golden thread”. How we weave the STOP Framework into each experience, story, lecture and podcast within a particular learning path.
From awareness to resilience: Measuring what matters
A Cyber Dexterity engagement does not conclude with completion certificates. It concludes with behavioural evidence. The metrics that matter are not "percentage of employees who completed the module". They are: "Has phishing click rate declined and sustained its decline?" "Are employees reporting suspicious communications at higher rates?" "Is there evidence of the STOP Framework being applied in real-world moments?" "Is the security team detecting near-misses that previously would have gone unreported?"
The work of Mikawa et al (2018) at Samsung Electronics provides a compelling organisational model for this approach: by measuring learning needs, applying qualitative data to iterate interventions across cycles and tracking impact on both individual change engagement and organisational change readiness, they demonstrated that adaptive, evidence-driven learning design can produce measurable shifts in organisational culture, not just knowledge scores.
This is the ambition behind what Cyber Dexterity does. Not awareness. Resilience. Not compliance. Culture. Not tick-box completion. Durable behavioural change that holds under pressure, survives sophisticated attacks and compounds across the organisation over time.
Conclusion
The threat landscape is not waiting for organisations to close the gap between awareness and behaviour. Threat actors are sophisticated, patient and increasingly automated. They do not need to penetrate your perimeter if they can simply persuade your people to open the door.
The organisations that will be most resilient in the years ahead are not those with the most comprehensive policy libraries or the longest annual training catalogues; they are the ones where every employee, at every level, has been trained not merely to know about threats, but to recognise them under pressure and to act correctly in the moment.
That requires a fundamentally different approach to learning, one that is hyper-personalised, behaviourally grounded, multi-modal by design and relentlessly focused on the metric that matters: impact through application.
The compliance era of cyber security training is ending. The resilience era is beginning. The question for every senior leader is whether their organisation is ready to make that transition or whether they will continue to measure success by the number of people who have sat through a module, rather than the number who would “STOP” before clicking.
Author: Antonios (Tony) Christodoulou
Founder and CEO, Cyber Dexterity | Adjunct Faculty GIBS Business School (Gordon Institute of Business Science) | PhD candidate in Cyberpsychology at Capitol Technology University, US. | Former CIO for a Global Fortune500 Company, American Tower Corporation.
References and links used:
Aguado, D., Arranz, V., Valera-Rubio, A., & Marín-Torres, S. (2011). Evaluación de un programa blended-learning para el desarrollo de la competencia trabajar en equipo. Psicothema, 23(3), 356–361.
Lockey, A., Bland, A., Stephenson, J., Bray, J., & Astin, F. (2022). Blended Learning in Health Care Education: An Overview and Overarching Meta-analysis of Systematic Reviews. Journal of Continuing Education in the Health Professions, 42(4), 256. https://doi.org/10.1097/CEH.0000000000000455
Ma, G., Yang, R., Minneyfield, A., Gu, X., Gan, Y., Li, L., Liu, S., Jiang, W., Lai, W., & Wu, Y. (2022). A practical analysis of blended training efficacy on organizational outcomes. Industrial and Commercial Training, 54(4), 637–646. https://doi.org/10.1108/ICT-12-2021-0085
Mansoori, S., Salari Koohfini, Z., & Ghasemali, M. (2020). A comparison Between the effectiveness of E-learning and blended learning in industrial training. Interdisciplinary Journal of Virtual Learning in Medical Sciences, 11(1), 46–53.
Mikawa, T., Ju, Y., Roh, D., & Samsung Electronics Co. (2018). Adaptive learning design in corporate education: Bolstering leadership readiness for organizational change [White Paper]. https://www.semanticscholar.org/paper/Adaptive-learning-design-in-corporate-education-%3A-Mikawa/cdb9943500adc5afccb1c80e1ce4af6b74587dc8
Share
