Every November, it arrives. The email. The reminder. The twelve-month countdown has expired, and it’s time once again to complete your mandatory security awareness training.
You click through the slides. You know the content. You’ve seen these exact phishing examples before. You answer the quiz correctly because you remember the answer from last year, not because you’ve gained new insight. You get your certificate. You close the tab. Nothing has changed.
This is security theatre. It looks like risk management. It produces metrics. It satisfies audit requirements. But it doesn’t make anyone safer.
How this shows up operationally
The pattern is consistent across organisations. Training campaigns launch in Q4 to hit year-end compliance targets. Completion rates climb through November and December. By January, leadership sees 96% attendance and considers the risk addressed.
Three months later, someone clicks a phishing link. The incident investigation reveals they completed the training. They passed the quiz. They have the certificate. The training didn’t fail administratively—it failed practically.
What organisations report as success is completion. What they need is retention, recognition, and execution under realistic conditions. These are different outcomes, and the annual model delivers only the first.
The annual cadence problem
Human memory doesn’t work on an annual schedule. Without reinforcement, most people lose the majority of newly learned information within days or weeks. Certainly within months.
If you train someone in January and expect them to remember critical details in November, you’re not managing risk. You’re hoping.
The annual training model persists not because it’s effective, but because it’s administratively convenient. One campaign, one deadline, one completion report. It fits neatly into a project plan. It produces a number that can go into a board paper.
But convenience to the training team is not the same as effectiveness for the organisation. Awareness doesn’t reduce risk. Behaviour does. And behavioural change requires repetition and reinforcement, not annual reminders of things people already knew.
What organisations mistake for success
High completion rates are treated as evidence of effective training. They’re not. They’re evidence of effective project management. The training team successfully got people to click through the content. That says nothing about whether the content changed anything.
This creates perverse incentives. If completion is the measure of success, training gets shorter, simpler, more generic—anything to drive the completion rate higher. The easier it is to complete, the less likely it is to produce lasting capability.
You end up optimising for the metric instead of the outcome. 98% completion looks impressive. It doesn’t mean 98% of people can recognise a realistic phishing attempt under time pressure.
Training becomes performative
When training happens on a fixed annual schedule, it stops being about learning and starts being about compliance. People complete it because they have to, not because they expect to gain anything from it.
This creates a feedback loop. Training is seen as a checkbox exercise, so people treat it like one. They click through as quickly as possible. They don’t engage. They don’t retain. The organisation can report high compliance. Security incidents continue to happen for exactly the same reasons they happened before the training existed.
The alternative isn’t just more frequent training
The problem isn’t solely frequency. More frequent bad training is still bad training. If the content is irrelevant, generic, or disconnected from how people actually work, doing it quarterly instead of annually doesn’t fix it.
What matters is whether the training produces competence. Whether it changes behaviour. Whether it gives people the capability to make better decisions in realistic scenarios.
This requires context. It requires scenarios that match actual work. It requires reinforcement at the moments when the learning is relevant. It requires evidence that understanding has occurred, not just that a module was completed.
This is harder to administer. It’s harder to report. It doesn’t produce a single completion percentage that can go into a dashboard. But it actually works.
The question is whether you’re optimising for administrative convenience or for actual risk reduction.
The real cost of security theatre
Security theatre isn’t harmless. It has a cost.
It wastes people’s time. It creates cynicism about security programmes generally. It gives a false sense of assurance to leadership who see high completion rates and assume the risk is managed.
Worse, it creates a record that can be used against the organisation. If an incident occurs and you can show that 98% of staff completed their annual training, that doesn’t prove you managed risk. It proves you knew there was a risk and chose a response that prioritised optics over effectiveness.
Annual training persists because it’s familiar, because it’s easy to manage, and because auditors accept it. Not because it works.
If you’re serious about reducing people risk, the first step is admitting that the annual training model is broken. The second step is building something better.
Not more training. Better training. Training that produces competence, not certificates. Training that changes behaviour, not just completion statistics.
The problem isn’t frequency. It’s relevance and reinforcement. Annual training fails on both.
