Cybersecurity training vs phishing simulation: what's the difference, and what actually works?
E-learning, in-person workshops, phishing simulation: an objective comparison of security awareness methods with effectiveness data and ROI for SMBs.
Your company invests in cybersecurity training. Your employees have completed the e-learning modules, answered the quizzes, earned their certificates. Yet during the last phishing attempt - a real one, this time - three people clicked, one entered their credentials, and you spent the weekend resetting passwords across the entire company.
This scenario is not an exaggeration. 68% of employees knowingly take risks (Proofpoint State of the Phish 2024): they know it's dangerous, and they do it anyway. 96% of those who took a risky action were fully aware it was risky. The most cited reason: convenience (44%), followed by saving time (39%).
The problem is not ignorance. It is the gap between what people know and what they do. And that gap is something traditional training alone does not close.
This article compares cybersecurity awareness methods - e-learning, in-person workshops, phishing simulation, micro-learning - drawing on the most recent effectiveness data: KnowBe4 (14.5 million users tested), academic studies from the IEEE Symposium on Security and Privacy, the CESIN (French cybersecurity executives association) 2025/2026 barometer, and work by the SANS Institute. The goal: to give you the factual evidence to choose the right approach for your context and budget.
Clarifying terms: what are we actually talking about?
Before comparing methods, we need to agree on definitions. The phishing awareness market uses terms that cover very different realities, and confusion between these methods is the number one source of poor decisions among SMBs.
E-learning (declarative training)
Online modules that employees complete at their own pace: typically once or twice a year, lasting 20 to 45 minutes. The content covers the basics: what is phishing, how to spot a suspicious email, password best practices, workstation security. A quiz at the end validates completion. The company checks a compliance box.
This is the most widespread method. It is also the one whose impact on actual behavior is most challenged by academic research.
In-person workshops
Training sessions conducted on-site or via video conference, led by an instructor (internal or external). Typical duration: 1 to 2 hours. The format allows interaction, questions, and live demonstrations (phishing demos, simulated social engineering). More engaging than e-learning, but also more expensive in terms of time and logistics - difficult to sustain over time for an SMB.
Phishing simulation
The company sends fake phishing emails to its own employees, without warning them. The emails replicate real attacker techniques: brand impersonation, urgency, credible pretexts, links to credential-harvesting pages. Each employee is tested individually. Those who click receive an immediate remediation page. Results are measured: click rate, reporting rate, reaction time.
Phishing simulation does not transmit theoretical knowledge. It creates an emotional experience - the surprise of getting caught - that anchors the vigilance reflex in memory far more deeply than a lecture. For a complete guide on setting up a simulation program, see our guide to corporate phishing simulation.
Micro-learning
Training capsules of 1 to 5 minutes, delivered at high frequency: ideally every week, via Slack, Teams, email, or a dedicated app. Each capsule covers a single concept: how to verify an email sender, how to spot a suspicious URL, what to do when in doubt. The short format fits into the workday without disrupting productivity.
Gamification
Integrating game mechanics (points, leaderboards, badges, interactive scenarios) into the awareness program. Gamification is not a method in itself - it is an engagement driver that can be applied to any method: gamified e-learning, gamified simulations, gamified micro-learning.
The combined approach (SBCP)
Gartner formalized in 2024 the concept of Security Behavior and Culture Program (SBCP): a program that combines training, simulation, micro-learning, and real-time interventions within a continuous framework. Only 13% of organizations have a fully operational SBCP (Gartner 2025). This is where the market is heading.
Traditional training: what it does well, and what it doesn't
The real strengths of e-learning
Documented compliance. NIS2 (Article 21), ISO 27001 (Annex A.7.2.2), and SOC 2 require proof of staff awareness. An e-learning program with completion tracking, quiz scores, and certificates provides exactly that proof. Without a training tool, you cannot document your compliance during an audit. For a deeper look at employee training best practices, see our cybersecurity training guide for SMBs.
A baseline of foundational knowledge. Not everyone starts with the same level of understanding of cyber risks. For new hires or non-technical employees, a structured e-learning module lays the groundwork: vocabulary, types of attacks, internal procedures, incident contacts. It is a prerequisite - not an end goal.
Individual traceability. E-learning platforms produce named training logs: who completed what, when, with what score. In case of an incident, this traceability can mitigate the company's legal liability - an argument that DPOs and legal teams understand.
Where e-learning falls short
The knowledge-behavior gap. The most important study on this topic in 2025 is by Ho et al. (IEEE Symposium on Security and Privacy, 2025). The researchers conducted a randomized controlled trial with 19,500 employees at a large American hospital, involving 10 simulated phishing campaigns over 8 months. Result: the groups that received embedded training (training delivered after each click) showed only a 1.7% reduction in click rate compared to the control group that received no training at all.
Worse: 75% of users spent less than one minute on the training content, and one-third closed the page immediately without interacting. The training was delivered. It was not absorbed.
Confirmation from another large-scale study. Lain et al. (IEEE Symposium on Security and Privacy, 2022) tracked 14,000 employees over 15 months with 8 phishing simulations per person. Their conclusion: embedded training "does not make employees more resilient to phishing and may have unexpected side effects that make them more susceptible." In some cases, voluntary training actually increased phishing susceptibility.
The Leiden meta-analysis. An analysis of 69 studies published by Leiden University in 2024 summarizes the current academic consensus: "Although training significantly increases predictors of end-user behavior, such as attitudes or knowledge, behavioral changes can only be observed minimally."
In plain terms: traditional training improves what people know. It does not change what they do. For a full analysis of this phenomenon: Why cybersecurity e-learning is no longer enough.
In-person workshops: same diagnosis, different format
In-person workshops are more engaging than e-learning - interaction with a trainer and the group setting create positive dynamics. But they suffer from the same core problem: they transmit declarative knowledge ("knowing that phishing exists") without building procedural reflexes ("automatically checking the sender before clicking").
Cost is also a major barrier for SMBs: an external cybersecurity trainer charges between 1,200 and 2,500 euros per day. For 50 employees split across 2 sessions, expect 2,400 to 5,000 euros - for a single training day that will be 80% forgotten within 30 days (Ebbinghaus).
In-person workshops have a place in an awareness program: they are useful for program launch (explaining the approach, setting expectations), for manager training (who serve as relays), and for post-incident debriefs (when a real phishing attack has hit the company). But as the sole foundation of an awareness program, they are too expensive, too infrequent, and too dependent on trainer quality to produce lasting behavioral change.
The compliance training trap
The Gartner 2025 barometer identifies a structural problem: 68% of cybersecurity leaders say low employee engagement is the primary design challenge of their awareness programs. And 47% cite a strategic misalignment between security and business objectives.
What these numbers reveal: in most organizations, cybersecurity training is a compliance exercise, not an improvement program. This is one of the key criteria for choosing the right awareness solution. The implicit goal is not to change behavior - it is to check a box during the annual audit. The result: boring e-learning modules, completed under duress, forgotten immediately, whose only purpose is to produce a spreadsheet reading "95% completion rate."
That spreadsheet protects no one. And the NIS2 auditor will not settle for completion rates - they will ask for evidence of measurable behavioral improvement. See our NIS2 guide for SMBs for the directive's specific requirements.
Phishing simulation: how it works, and why it's different
The learning mechanism
Phishing simulation relies on experiential learning, a concept formalized by David Kolb in 1984: people learn better by living through an experience than by listening to an explanation. Clicking on a fake phishing email and seeing the page "You've been caught - here's why" creates an emotional reaction (surprise, embarrassment) that embeds itself in memory far more deeply than a PowerPoint slide about "the 5 signs of a phishing email."
The mechanism is identical to fire drills for firefighters: you don't prepare for a fire by reading a manual - you prepare by practicing under realistic conditions.
The simulation-remediation-progression cycle
A structured phishing simulation program operates in a loop:
Phase 1: Baseline. First campaign without warning employees. The initial click rate is measured. According to the KnowBe4 Phishing Benchmarking Report 2025 (14.5 million users, 62,400 organizations), the average click rate before any training is 33.1% - one in three employees clicks. For companies with 1 to 250 employees, the rate is 24.6%. For those with over 10,000 employees, it rises to 40.5%.
Phase 2: Immediate remediation. Every employee who clicks instantly receives targeted remediation content: what should have raised a red flag in that specific email, how to verify the sender, how to report a suspicious email. The content is contextualized - not a generic module, but an explanation tied to the email the person just clicked on.
Phase 3: Recurring campaigns. Monthly or biweekly simulations with progressive difficulty: starting with generic phishing (fake package delivery, fake invoice), then targeted spear phishing (email from the "CEO," fake Teams notification), then advanced attacks (callback phishing, malicious QR code). Difficulty adapts to each employee's level.
Phase 4: Continuous measurement. Click rate, reporting rate, and reaction time are tracked month over month. After 90 days of combined simulation and training, the click rate drops by 40% (from 33.1% to approximately 19.9%). After 12 months, the reduction reaches 86% - the click rate falls to 4.1% (KnowBe4 2025). For click rate benchmarks by industry and company size, see our detailed article on phishing click rate benchmarks by sector.
Key indicators of an effective simulation
Beyond the click rate (the most visible number), a mature simulation program tracks several indicators:
Reporting rate. This is the most important indicator - and the most overlooked. The reporting rate measures the percentage of employees who, when faced with a suspicious email, use the report button to alert the IT team. On the Proofpoint platform in 2025, the average reporting rate is 18.65% across all industries. Financial services reach 32.35%. Education stagnates at 7.71%. A high reporting rate means your employees are not just avoiding clicks - they are actively participating in real-time threat detection.
Resilience ratio. Proofpoint calculates this as the ratio of reporting rate to click rate. A ratio above 1 means more employees report than click - the organization is in an active defense posture. The average ratio in 2025 is 3.78. Financial services reach 8.23. Education sits at 1.27.
Median reporting time. How long between receiving a suspicious email and reporting it? The shorter this time, the faster the IT team can respond to neutralize a real threat. The most mature organizations aim for a median reporting time under 5 minutes.
Progression by attack type. Click rates vary considerably depending on the simulation type: a generic email ("Your package is pending") generates 15-25% clicks, while a targeted spear phishing email (from the "CFO" requesting a wire transfer) can reach 40-60%. Tracking progression by attack type reveals the scenarios where your teams remain vulnerable.
What simulation doesn't do
Phishing simulation does not replace training. It does not cover the basics: password management, workstation security, data classification policy, incident response procedures. A simulation program without a knowledge foundation is a test without preparation - it measures vulnerability but does not provide the tools to reduce it.
Simulation also does not protect against threats employees never encounter via email: malicious USB drives, phone-based social engineering (vishing), physical compromises. These vectors require different approaches.
Simulation is not infallible either. The Lain et al. (2022) study showed that poorly designed simulations - with optional, non-contextualized training - can have the opposite effect: increasing phishing susceptibility among some employees. Program design matters as much as the tool itself. Simulations that are too frequent (several per week), too easy (immediately identifiable), or lacking post-click remediation (the employee clicks and nothing happens) produce no learning.
The data: which method actually changes behavior?
The number that says it all
Here is the most solid comparative data available as of March 2026, drawn from large-scale studies:
| Method | Click rate reduction | Source | Sample size |
|---|---|---|---|
| E-learning alone (annual) | 1.7% | Ho et al. 2025, IEEE S&P | 19,500 employees |
| Embedded training (post-click) | Negligible to negative effect | Lain et al. 2022, IEEE S&P | 14,000 employees |
| Simulation + combined training (12 months) | 86% (from 33.1% to 4.1%) | KnowBe4 2025 Benchmarking | 14.5 million users |
| Simulation alone (3 months) | 48% | IJSRA 2025 | 300 employees |
| Continuous micro-learning (reporting rate) | From 7% to 60% | Aggregated data (Symbol Security) | Industry |
How to read this gap
The gap between academic results (1.7% reduction) and industry data (86% reduction) deserves an explanation, because this is not a case where "one is right and the other is wrong."
Academic studies (Ho 2025, Lain 2022) measure the isolated effect of training: educational content alone, often in the form of a single remediation page shown after a click. They use randomized controlled trials (the scientific gold standard) with control groups. Their conclusion: a single training page shown once after a click does not change behavior.
Industry data (KnowBe4) measures the effect of a complete program: recurring simulations (monthly), continuous training, micro-learning, targeted remediation, progressive difficulty - over 12 months. The program combines 5 to 12 interventions per employee over the year. The 86% reduction is the cumulative result of this complete program - not of an isolated module.
The reconciliation is simple: a one-time training event changes nothing. A continuous, varied program changes behavior. Frequency, repetition, and the combination of methods are the determining factors - not the quality of any individual module.
Data from the Verizon DBIR 2025 confirms this from another angle: employees trained in the last 30 days are 4 times more likely to report a phishing email than those whose last training was more than a month ago. The recency of training matters as much as its content.
The French data
The CESIN (French cybersecurity executives association) 2025 barometer (10th edition, 401 respondents, January 2025) indicates that 85% of French companies now train their employees on cyber risks. Phishing and spear phishing remain the number one attack vector at 60% of reported attacks. The CESIN 2026 barometer (11th edition, January 2026) reports a decline in significant attacks to 40% (down from 47% in 2024), but when attacks succeed, 81% have a business impact.
For micro-businesses and SMBs, the picture is less favorable. 69% of cyberattacks in France target micro-businesses and SMBs (2025 data). Only 35% of SMBs have trained more than half their staff (up from 28% in 2023). Half of SMB employees do not receive regular cybersecurity training (Barometre national maturite cyber TPE-PME 2025). The French numbers confirm the international finding: training exists, but it is insufficient, infrequent, and poorly measured.
The number one obstacle cited by French micro-businesses is lack of budget (70% of micro-businesses, Barometre maturite cyber 2025). The second is lack of time. The third: the feeling that "it won't happen to us." Yet the data shows the opposite: 59% of French SMBs experienced a cyberattack in the last 12 months (Hiscox 2025), and the average cost ranges between 20,000 and 50,000 euros - 10 to 50 times the annual cost of an awareness program.
The French government launched SensCyber (free awareness module by Cybermalveillance.gouv.fr) via France Num (French government digital transition program): a free online awareness module for SMBs with 3 short learning paths. ANSSI (France's national cybersecurity agency) provides the IT Hygiene Guide and the MesServicesCyber platform. These resources are a starting point, but they do not cover phishing simulation or behavioral measurement.
The Verizon DBIR 2025 argument
The Verizon Data Breach Investigations Report 2025 offers additional insight into the comparative effectiveness of methods. The most telling number in the DBIR is not the click rate - it is the reporting time. Organizations whose employees quickly report real phishing emails (within the first 5 minutes) significantly reduce the blast radius of successful attacks. The IT team can block the malicious domain, revoke compromised credentials, and alert other employees before the attack spreads.
In other words: the primary ROI of phishing training may not be click prevention (the residual rate never reaches zero) - it is accelerating detection. Trained employees become a human sensor network that complements technical tools. The Verizon DBIR calls this concept the "human sensor network," and it measures its effectiveness by reporting speed, not click rate.
For French SMBs without a SOC (Security Operations Center), this human network is often the only active detection layer. An employee who reports a suspicious email in 3 minutes is more useful than a firewall that failed to detect the attack.
The forgetting curve: why annual training doesn't work
Ebbinghaus and declarative memory
Hermann Ebbinghaus demonstrated in 1885 that human memory follows a predictable decay curve. His numbers, confirmed by modern research:
- After 1 hour: learners forget up to 50% of new information.
- After 1 day: half of what was learned remains.
- After 1 week: retention drops to approximately 23%.
- After 1 month: up to 80% is forgotten without reinforcement.
- Less than 15% of what is learned is stored permanently without review.
Applied to cybersecurity training: if you train your employees once a year in January, they have forgotten 80% of the content by February. By March, the training is a vague memory. By September, when the phishing attack arrives, almost nothing remains.
Empirical validation in cybersecurity
The SOUPS 2020 study (Symposium on Usable Privacy and Security) precisely measured the forgetting curve as applied to phishing. 409 employees from a German government agency were assessed at regular intervals after phishing training.
The results:
- Up to 4 months: the training effects remain significant. Employees detect phishing emails more effectively.
- At 6 months: detection scores begin to deteriorate significantly.
- At 8-12 months: employees have forgotten most of what they learned. Their detection ability has returned to pre-training levels.
The study also compared reminder formats: videos and interactive examples are the most effective formats for refreshing knowledge, far ahead of short texts or long messages.
Spaced repetition: the only known antidote
The Wozniak protocol (1990), which formalizes spaced repetition, recommends increasing intervals between reviews:
- 1st review: 1 day after learning
- 2nd review: 7 days later
- 3rd review: 16 days later
- 4th review: 35 days later
- Then progressively longer intervals.
Translated into an awareness program: annual training is the worst possible schedule. Quarterly training is insufficient. The minimum viable frequency is a monthly intervention, and the ideal is a weekly micro-intervention of a few minutes.
This is precisely what micro-learning and recurring simulation deliver: frequent, short, contextualized reminders that keep knowledge and reflexes above the effectiveness threshold.
Micro-learning vs e-learning: the engagement numbers
Comparative engagement data confirms the superiority of micro-learning over traditional e-learning for cybersecurity awareness:
| Indicator | Traditional e-learning (30-45 min) | Micro-learning (1-5 min) |
|---|---|---|
| Completion rate | 20-30% | ~80% |
| Engagement rate | Baseline | +50% vs e-learning |
| Information retention | Baseline | +23% vs e-learning |
| Retention with gamification | Baseline | +90% vs e-learning |
| Phishing reporting rate | 7% (quarterly training) | 60% (continuous micro-learning, after 12 months) |
| Format preferred by employees | : | 60% prefer short lessons |
The difference in reporting rate is striking: 7% with quarterly training versus 60% with continuous micro-learning. The multiplier is 8.5x. In terms of security posture, a 60% reporting rate means the majority of your employees are actively participating in threat detection.
Optimal micro-learning sits between 1 and 3 minutes per session, covers a single concept per capsule, and is delivered weekly. The most effective formats are short videos (preferred by 70% of learners) and interactive scenarios (retention 2.3 times higher than static presentations).
The productivity impact is also favorable: traditional training of 30 minutes per month uses 6,000 hours per year for 1,000 employees. Micro-learning of 5 minutes per month uses only 1,000 hours - roughly 230,000 euros in preserved productivity at 45 euros/hour (fully loaded cost).
The Kirkpatrick model: measuring what actually matters
The four levels of evaluation
Donald Kirkpatrick formalized in 1959 a four-level training evaluation model, universally adopted in education. Applied to cybersecurity awareness:
Level 1: Reaction. Did employees enjoy the training? Did they find it useful? This is what post-training satisfaction surveys measure ("Rate this training from 1 to 5"). It is the easiest level to measure, and the least informative. An employee can love a training session and retain nothing from it.
Level 2: Learning. Did employees acquire knowledge? This is what post-training quizzes measure ("What is a sign of a phishing email?"). This level evaluates declarative memory - what people know - but not what they do in real situations.
Level 3: Behavior. Do employees apply what they learned in their daily work? This is what phishing simulation measures: click rate, reporting rate, reaction time when facing a fake email. Real-world behavior - not theoretical knowledge.
Level 4: Results. Did the training have a measurable impact on the organization? Fewer successful phishing incidents? Faster reports? Lower incident costs? Stronger compliance reports?
The chasm between Levels 2 and 3
The majority of awareness programs stop at Levels 1 and 2: satisfaction and quizzes. A study published in Computers & Security (2024) confirms that 84% of programs aim for behavior change, but only 43% regularly measure actual behavioral changes. The rest rely on completion rates and quiz scores - metrics that do not predict real-world behavior.
Phishing simulation is, to date, the only tool that directly measures Kirkpatrick Level 3: behavior under realistic conditions. A quiz tells you whether an employee can identify a phishing email. A simulation tells you whether they actually will when the email lands in their inbox between two meetings on a Friday afternoon.
The gap between "knowing" and "doing" is the central subject of academic research on cybersecurity. A Computers & Security study (2024, 154 participants) identifies self-efficacy as the most significant predictor of behavioral intention in cybersecurity. Employees do not change behavior because they know the risks - they change because they feel capable of detecting and handling a threat. Simulation, by placing employees in realistic situations they gradually learn to defeat, builds this self-efficacy. Theoretical training alone does not. For a deeper dive into the cognitive mechanisms that make phishing effective, see our article on phishing psychology and cognitive biases.
Detailed comparison: 8 decisive criteria
Summary table
| Criterion | E-learning | Phishing simulation | Combined approach |
|---|---|---|---|
| Cost per employee/year | 10-30 euros (platform) or 50-100 euros (occasional in-person) | 15-80 euros (depending on platform) | 15-80 euros (all-inclusive) |
| Employee time required | 2-4 hours/year (30-45 min modules) | 0 hours (simulations are invisible) | 1-2 hours/year (5 min/week micro-learning + simulation) |
| ROI measurability | Low (completion, quiz scores) | High (click rate, reporting, progression) | High (all indicators) |
| Impact on click rate | -1.7% (Ho 2025, isolated) | -40% at 90 days (KnowBe4) | -86% at 12 months (KnowBe4) |
| Retention duration | 4-6 months then decay (SOUPS 2020) | Reinforced with each campaign | Continuous (spaced repetition) |
| Compliance (NIS2, ISO 27001) | Strong (certificates, traceability) | Moderate (campaign reports) | Optimal (traceability + behavioral evidence) |
| Customization | Limited (standard modules) | High (context-adapted scenarios) | High (individualized learning paths) |
| Employee engagement | Low, 20-30% completion | High - the experience is involuntary and memorable | High: micro-learning at 80% completion |
Criterion-by-criterion breakdown
Cost per employee. Pure e-learning is the cheapest option if the company uses an existing LMS or a free resource like SensCyber (free awareness module by Cybermalveillance.gouv.fr, made available via France Num (French government digital transition program) for SMBs). Simulation platforms range from 15 to 80 euros per user per year depending on company size and feature level. The combined approach (simulation + micro-learning + reporting) is generally priced the same as simulation alone - modern platforms bundle training into their offering. Compare costs and ROI on our pricing page.
Employee time required. This is the most underestimated criterion. A 30-minute e-learning session uses 25 cumulative hours for 50 employees. A 3-minute weekly micro-learning uses 130 hours for the same 50 employees over the year, but spread across micro-sessions that don't disrupt work. Simulation uses zero time - employees don't know they're being tested. Time is only "consumed" during post-click remediation (3-5 minutes).
For an SMB of 50 people at a loaded cost of 25 euros/hour, the indirect training cost breaks down as follows:
- Annual e-learning (2 sessions x 30 min): 50 x 1h x 25 euros = 1,250 euros/year
- Weekly micro-learning (3 min/week x 48 weeks): 50 x 2.4h x 25 euros = 3,000 euros/year
- Pure simulation: 0 euros in employee time (excluding remediation)
This indirect cost never appears in vendor quotes. It should.
ROI measurability. E-learning produces completion metrics ("95% of employees completed the module") and score metrics ("average score: 78/100"). These numbers satisfy an auditor. They say nothing about actual program effectiveness. Simulation produces behavioral metrics: click rate (before/after), reporting rate, median reporting time, progression by department, by tenure, by attack type. These are data you can present to your leadership to justify the investment, and to an auditor to demonstrate continuous improvement.
Employee engagement. Completion rates tell the story. Traditional e-learning: 20 to 30% completion without enforcement. Micro-learning: approximately 80% completion (short modules are completed voluntarily). Simulation: 100% "participation" by design - every employee receives the test email, whether they want to or not. Engagement is not requested; it is triggered by the experience.
Gamification amplifies engagement: aggregated industry data shows a 60% increase in engagement and 90% increase in retention when game mechanics are integrated into the awareness program.
The combined approach: the 2026 standard
Why isolated methods are no longer enough
The data is clear: training alone does not change behavior. Simulation alone does not provide foundational knowledge. No isolated method covers the full spectrum.
Gartner formalizes this with the SBCP concept: by 2027, half of cybersecurity programs will prioritize behavioral transformation over awareness. The key prediction: companies that combine generative AI with an integrated SBCP architecture will experience 40% fewer employee-caused cyber incidents by 2026.
The SANS Institute recommends a minimum of 2.8 FTEs dedicated to influencing behavior at scale. For an SMB without a dedicated cybersecurity team, this means the tool must automate what large enterprises assign to a team: campaign planning, micro-learning delivery, results analysis, learning path adaptation.
The model that works in 2026
The awareness program that produces the best measurable results combines four components:
The knowledge foundation: an initial e-learning path (1 to 2 hours, broken into 10-15 minute modules) covering the fundamentals: types of attacks, reporting procedures, the company's security policy. This foundation is reinforced during onboarding for every new hire.
Recurring simulation: monthly or biweekly campaigns with progressive difficulty, custom domains, scenarios adapted to the company's context (brands, vendors, government agencies). Each campaign produces actionable behavioral data.
Continuous micro-learning: weekly capsules of 2 to 5 minutes, delivered through existing communication channels (Slack, Teams, email). Content is contextualized - a micro-learning module on spear phishing delivered after a simulation campaign on that same theme reinforces the learning.
Targeted post-failure remediation: when an employee clicks on a simulation, they immediately receive remediation content specific to the email they clicked on. This content is not a generic module - it explains precisely which red flags should have raised their guard in that particular case. Repeat offenders follow a reinforced learning path.
nophi.sh integrates all four components into a single platform. Simulation with custom domains, adaptive micro-learning, AI analysis of reported emails, hosting in France, flat-rate pricing.
The "big bang" training mistake
A common mistake among SMBs launching an awareness program: organizing a massive training event (half-day in-person session + sending all e-learning modules at once) and then doing nothing for 11 months. This is the "big bang" strategy - a spike of activity followed by nothing.
The data converges: this approach is the least effective. Ebbinghaus's forgetting curve shows that after one month without reinforcement, 80% of knowledge is lost. The SOUPS 2020 study shows that phishing email detection ability returns to pre-training levels after 6 to 8 months without follow-up. And the SANS 2025 report recommends 3 to 5 years of continuous programming to embed a security culture.
The optimal program is the opposite of the big bang: a modest launch (30-minute initial onboarding) followed by a continuous stream of short, frequent interventions. The sports analogy works: a single 5-hour run on January 1st does not prepare you for a marathon. Running 30 minutes three times a week for 6 months does.
The emerging role of AI in awareness
How AI concretely improves awareness programs:
Learning path personalization. AI analyzes each employee's behavior (click rate by attack type, reaction time, reporting history) and adapts simulation difficulty and micro-learning content accordingly. An employee who easily detects generic emails but falls for spear phishing will receive simulations and training targeted at that specific vector.
Contextualized scenario generation. Modern platforms offer customizable templates that adapt to the company's communication tools (Teams, Slack, Salesforce) and industry news. The realism surpasses static template libraries.
Individual risk analysis. By cross-referencing simulation and training results (click rate by attack type, reaction time, reporting history), the platform identifies at-risk profiles and enables targeted intervention: reinforced remediation paths, simulations adapted to each employee's level.
How to choose based on your maturity level
Decision matrix
The right method depends on your starting point. Here is a decision grid based on your organization's cybersecurity maturity:
Level 0: Nothing in place. You have never trained your employees on phishing. No tools, no processes, no measurements. This is the case for the majority of French micro-businesses (65% have never trained more than half their staff).
Recommendation: Start with a combined platform (simulation + micro-learning). E-learning alone will not produce measurable results. The entry cost of a simulation platform ranges from 10 to 30 euros per user per year - or 500 to 1,500 euros for 50 employees. The documented average ROI is 4:1 (4 euros saved for every 1 euro invested).
Level 1: Mandatory annual training. You have an e-learning program that employees complete once a year. You have completion rates. You have no behavioral data.
Recommendation: Add phishing simulation to your existing program. Run a baseline campaign (without warning employees) to measure your actual click rate. This number will likely be a shock - the average rate is 33.1% before any simulation (KnowBe4 2025). Use this baseline to justify the investment in a continuous program. Shift from annual training to monthly micro-learning.
Level 2: Occasional simulations. You have already run a few phishing campaigns (1 to 3 per year). Your click rate is declining. But the program is not structured: no micro-learning, no automated remediation, no progressive difficulty.
Recommendation: Structure your program. Move to monthly simulations with progressive difficulty. Add weekly micro-learning. Automate post-click remediation. Measure reporting rate (not just click rate) - that is the true maturity indicator. The Verizon DBIR 2025 shows that reporting rate (21% with recent training vs 5% without) is a better predictor of organizational resilience than click rate alone.
Level 3: Structured continuous program. You have monthly simulations, micro-learning, and remediation. Your click rate is below 5%. Your employees report suspicious emails.
Recommendation: Move to advanced scenarios: targeted spear phishing (email from the "CFO"), callback phishing, multi-channel attacks (email + SMS), malicious QR codes and other new phishing forms. Integrate real phishing detection: employees who report suspicious emails receive a real-time AI verdict, reinforcing the reporting reflex. Measure the resilience ratio (reports / clicks) and aim for a ratio above 4 - a sign that your organization is in an active defense posture.
Whatever your level, nophi.sh covers all four components: simulation with custom domains, adaptive micro-learning, automatic remediation, and AI analysis of reported emails. Create a free account - up and running in 15 minutes, no technical integration required.
The most common program mistakes
Regardless of your maturity level, certain mistakes recur systematically in poorly designed awareness programs:
Too much training, not enough measurement. SMBs invest in catalogs of 50 e-learning modules but never run a simulation. Result: impressive completion rates (90%+) and zero data on actual behavior. The program satisfies the auditor but protects no one.
Simulations without remediation. The employee clicks on the fake phishing email and... nothing happens. No learning page, no targeted micro-module, no follow-up. The error is detected but not corrected. The simulation becomes a surveillance tool, not a learning tool. The impact on team morale is negative.
Campaigns too far apart. One simulation every 6 months is worse than a monthly simulation. The interval is too long to maintain reflexes (Ebbinghaus forgetting curve), and each campaign becomes an "event" that generates anxiety instead of being perceived as a normal routine.
The 0% click rate trap. Some SMBs aim for a zero click rate as their goal. This is counterproductive. A 0% click rate means either that simulations are too easy (immediately identifiable) or that employees have stopped clicking on any link out of caution - including legitimate ones. The realistic target is a click rate below 5% combined with a reporting rate above 50%.
Forgetting managers. Managers are often the most targeted by spear phishing (CEO fraud, BEC) and the least available for training. A program that does not include a specific learning path for managers and the executive committee misses a critical target. KnowBe4 data shows that companies with over 10,000 employees have a baseline click rate of 40.5% - partly because executives, under high cognitive load, are the most vulnerable to manipulation techniques.
The budget factor
For an SMB of 50 employees, here is what each approach costs in total (tool + employee time):
| Approach | Tool cost/year | Indirect time cost | Annual total |
|---|---|---|---|
| Nothing | 0 euros | 0 euros | 0 euros (but average incident cost: 20,000-300,000 euros) |
| Annual training only | 500-1,500 euros | 1,250 euros | 1,750-2,750 euros |
| Simulation + micro-learning | 750-3,000 euros | ~300 euros (remediation only) | 1,050-3,300 euros |
| Full combined program | 1,000-4,000 euros | ~800 euros | 1,800-4,800 euros |
The documented average ROI is 4:1 (Brightside AI, aggregated 2025 data). For an SMB, the math is simple: the median cost of a successful phishing incident ranges between 20,000 and 50,000 euros (French 2025 data), potentially reaching 300,000 euros. A combined program at 3,000 euros per year protects against a risk 10 to 100 times greater.
9 out of 10 cyberattacks in companies are caused by human error (France Num (French government digital transition program) 2025). Investing in technical controls without addressing the human factor is like installing an alarm and leaving the door open.
The hidden cost of inaction
SMBs that don't train their employees are not saving money. They are deferring a cost into the future in the form of risk.
The risk of going out of business increases by approximately 50% within 6 months following a cyber incident for micro-businesses and SMBs (French 2025 data). The total cost of a cyberattack for a 50-person SMB often exceeds initial estimates. The average cost of a business email compromise (BEC) is 45,000 euros for a French SMB. Revenue loss can reach 27% of annual turnover according to some industry estimates.
Compared to the cost of an awareness program (1,000 to 4,000 euros per year for 50 employees), the math is straightforward. The real luxury SMBs cannot afford is doing nothing.
ANSSI (France's national cybersecurity agency) has announced that it will give organizations subject to NIS2 at least 3 years before considering sanctions. This grace period should not be interpreted as permission to wait 3 years. It is the time needed to implement a structured program and measure its results - which corresponds exactly to the 3 to 5-year timeline identified by the SANS Institute for lasting behavioral change.
Frequently asked questions
Is phishing simulation legal in France?
Phishing simulation in a corporate setting is legal in France, provided it complies with GDPR. The data collected (email addresses, individual results) qualifies as personal data. The employer must inform employees that a security awareness program including simulations is in place (prior notification under GDPR - not necessarily for each individual campaign), define a legal basis (legitimate interest for information system security or NIS2 legal obligation), limit the retention of individual data (24 months recommended), and not use results for disciplinary purposes. CNIL (France's data protection authority) has not issued specific guidance on phishing simulation, but general GDPR principles apply. A data processing agreement (DPA) with the platform provider is required.
Do you need to warn employees before a simulation?
Yes, under GDPR: employees must know that a simulation program exists (disclosed in internal policies, the IT charter, or an internal memo). However, telling them the date and content of each simulation would defeat the purpose of the exercise. Best practice: inform employees once that simulations will take place during the year, without specifying when or in what form. After each campaign, share aggregate results (not individual) with the entire company.
Is SensCyber (the free module from Cybermalveillance.gouv.fr) enough for an SMB?
SensCyber (free awareness module by Cybermalveillance.gouv.fr) is a useful free resource to build a foundation: 3 short modules (interactive videos + knowledge tests) designed for SMB employees. It is a good starting point - far better than doing nothing. But SensCyber offers neither phishing simulation, nor recurring micro-learning, nor behavioral measurement, nor post-failure remediation. It covers Kirkpatrick Level 2 (knowledge) but not Level 3 (behavior). For an SMB subject to NIS2 or one that wants to demonstrate measurable improvement, SensCyber is a complement - not a substitute for a simulation platform.
How many simulations per year should you run?
The data points to a minimum of one simulation per month. Ebbinghaus's forgetting curve shows that training effects start to degrade significantly after 4 months (SOUPS 2020 study). Monthly simulations keep reflexes above the effectiveness threshold. The ideal is to combine monthly simulations with weekly micro-learning - approximately 12 simulations and 48 micro-learning capsules per year. The most mature organizations (click rate below 5%) can space simulations out to once every 6 weeks.
Is cybersecurity training mandatory in France in 2026?
The NIS2 directive (transposed into French law through the Resilience Act, adopted by the Senate on March 12, 2025) requires essential and important entities to implement "cyber risk management measures including staff awareness and training." Approximately 15,000 French entities are affected, plus their suppliers through contractual cascade effects. Penalties go up to 10 million euros or 2% of global revenue. ISO 27001 (Annex A.7.2.2) and SOC 2 also require documented awareness programs. For SMBs not directly subject to NIS2, training is not legally mandatory, but in the event of an incident, the absence of awareness measures could be held as a breach of the security obligation (Article 32 of GDPR). Cyber insurers now require training evidence to cover phishing-related claims.
Can phishing simulation damage team morale?
This is a real risk if the program is poorly designed. Pitfalls to avoid: publishing individual results (humiliation), using overly aggressive scenarios from the start (loss of trust), not explaining the educational purpose (feeling of surveillance). The right approach: start with simple scenarios and gradually increase difficulty, always pair the click with a supportive remediation page ("here is what should have alerted you - here is how to react next time"), share aggregate results (not individual), and celebrate collective progress. The best-designed programs use a positive tone: the goal is not to trap employees but to train them.
Conclusion
The question is not "training or simulation." It is "how to combine both for a measurable outcome."
The 2025-2026 data converges.
Theoretical training alone does not change behavior: 1.7% click rate reduction (Ho et al. 2025, 19,500 employees), "minimal" changes according to the Leiden meta-analysis (69 studies). What does change behavior is a continuous program combining recurring simulation, micro-learning, and targeted remediation: 86% reduction in 12 months (KnowBe4 2025, 14.5 million users). Frequency is the decisive factor: effects degrade after 4 to 6 months without reinforcement (SOUPS 2020), and employees trained in the last 30 days report 4 times more (Verizon DBIR 2025).
For a French SMB in 2026, the optimal investment is a combined program: monthly simulation + weekly micro-learning + automated remediation. The cost ranges from 1,000 to 4,000 euros per year for 50 employees. The documented ROI is 4:1 - against an incident risk measured in tens or even hundreds of thousands of euros.
The open question is one of time. The SANS Institute estimates 3-5 years to transform behavior, and 5-10 years to embed a lasting security culture. ANSSI (France's national cybersecurity agency) has set a 3-year grace period before sanctioning NIS2-covered entities. This means the best time to launch a structured program is now - not in 6 months, not after the next incident. KnowBe4 data shows measurable results within 90 days (40% click rate reduction). The return on investment begins to materialize well before the end of the first year.
Launch your first simulation campaign - simulation with custom domains, adaptive micro-learning, and AI analysis of reported emails. Measurable results within 90 days.