Skip to content
Back to blog
e-learningtrainingawarenesscybersecuritySME

Why a Simple E-Learning Module Is No Longer Enough to Train Your Teams on Cybersecurity

20% completion rates, 6-week retention, zero behavior change: why traditional e-learning fails against phishing and what alternatives actually work.

Thomas Ferreira44 min read

Your company deployed a cybersecurity e-learning module in January. Forty-five minutes of slides covering phishing, passwords, and data security. In March, an accountant clicks on an email impersonating Chronopost (a major French delivery service) and enters their Microsoft 365 credentials on a fake form. They had scored 92% on the end-of-module quiz.

This scenario is not hypothetical. It repeats every week in thousands of French companies that have checked the "cybersecurity training" box in their compliance plan. The module is deployed, the LMS shows a 94% completion rate, the security manager presents the report to leadership, and everyone leaves satisfied - until the incident.

90% of companies train their employees on cybersecurity, but 70% of trained employees engage in behaviors that go against security best practices (Gartner 2022) (source). Even more telling: 69% of employees admit to bypassing security policies over the past year, and 74% would do it again if it helped them meet their business objectives (Gartner 2022).

The problem is not that employees are careless. The problem is the training format.

The Cybersecurity E-Learning Paradox: Good Scores, Bad Reflexes

Traditional cybersecurity e-learning operates on a simple model: a 30 to 60-minute module, deployed once or twice a year through an LMS (Learning Management System), followed by a validation quiz. The employee watches the slides, answers the questions, gets their certificate. The LMS records the completion. Everyone is happy.

The problem is that this model measures the wrong thing. It measures whether the employee clicked "Next" through to the last slide and memorized the right quiz answers - not whether they will make the right call when a phishing email lands in their inbox at 5:45 PM on a Friday, when they are in a rush to leave.

KnowBe4 illustrates this gap with its 2025 data, drawn from 67.7 million phishing simulations across 14.5 million users in 62,400 organizations: the average phishing click rate before any training is 33.1% (KnowBe4 Phishing by Industry Benchmarking Report 2025) (source). Organizations that stick to annual e-learning see this rate drop modestly, but those that combine continuous simulations with contextual micro-learning drive it below 5% within 12 months.

The gap between these two approaches sums up the entire problem: traditional e-learning transmits information but does not change behavior.

The Five Reasons Traditional E-Learning Fails

Reason 1: The Real Completion Rate Is Far Lower Than What the LMS Reports

Your company's LMS probably shows a completion rate of 90% or higher for your cybersecurity modules. That number is misleading.

Studies on corporate e-learning show that self-directed online courses have a real completion rate of 12 to 15% for non-mandatory modules (Continu, 2025). For mandatory modules, the rate goes up, but at what cost? 49% of employees admit to not following or not paying attention to their mandatory training (SkillUp Online). They click "Next" mechanically, let the module run in the background while they work on something else, and answer the quiz by picking the obvious answers.

One employee cited in a CLO Magazine survey summed it up: "I do the minimum to get 70% on the quiz and move on." Another described mandatory training sessions as "worthless." These testimonials reflect a documented phenomenon: LMS fatigue, the point where the tool meant to foster learning becomes an obstacle that the employee works around (SeerTech Solutions).

When 45% of employees feel that the training they receive does not match their actual needs (CLO Magazine), e-learning is not training anyone - it is generating certificates.

Reason 2: The Forgetting Curve Destroys Your Investment in 6 Weeks

In 1885, psychologist Hermann Ebbinghaus demonstrated that humans forget approximately 50% of what they learn within one hour, 70% within 24 hours, and up to 90% within one week if the information is not reactivated (Ebbinghaus, 1885; replicated in 2015). His findings have been confirmed by modern replications.

Applied to corporate cybersecurity, the implications are stark. Your January e-learning module? By March, your employees have forgotten most of its content. A study cited by Cybersecurity Dive shows that participants in anti-phishing training were "significantly better at distinguishing real emails from phishing attempts immediately after training, but after six months, the improvement had disappeared" (Cybersecurity Dive).

The math is simple: if you train your teams once a year, they spend eleven months without cognitive protection. Eleven months during which attack techniques evolve, new vectors emerge (quishing, voice deepfakes, malicious SMS), and the memory of the training fades away.

Industry data confirms this: quarterly training produces only a 7% reporting rate for suspicious emails, compared to 60% for continuous micro-learning integrated into daily work (Brightside AI, 2025). Frequency changes everything.

Reason 3: The Dunning-Kruger Effect - Training Creates a False Sense of Security

Here is the most dangerous paradox of cybersecurity e-learning: it can make employees more vulnerable than before the training.

According to KnowBe4, 86% of employees believe they can identify a phishing email, yet nearly half of them fell for a phishing attack over the past year. This gap has a name: the Dunning-Kruger effect, the cognitive tendency where the least competent people overestimate their abilities the most.

In cybersecurity, this phenomenon is particularly toxic. An employee who has completed an e-learning module and scored 90% on the quiz leaves the training convinced they know how to spot phishing. This confidence makes them less vigilant against real attacks - the ones that do not look like the simplistic examples in the module.

SC Media reports that "training can paradoxically cause problems: a proportion of employees who have completed a basic security course experience the Dunning-Kruger effect. They believe they know everything there is to know, giving them unjustified confidence" (SC Media). The result: hasty judgments, skipped verifications, and clicks on links the employee "was sure" they had checked.

The data backs this up: despite the fact that 70% of individuals recognize the risks of clicking unknown links in emails, many click anyway (Verizon DBIR 2025). Knowledge does not automatically translate into behavior. To understand the cognitive mechanisms at play, see our analysis of phishing psychology.

Reason 4: Passive Training vs. Active Learning - A Pedagogical Dead End

Traditional e-learning relies on a passive pedagogical model: watching slides, listening to narration, reading text. The employee is a spectator, not a participant.

Cognitive science is unequivocal on this point. The learning cone (often attributed to Edgar Dale, though the exact percentages are contested) places reading and passive listening at the bottom of the retention scale. Learning by doing - solving a problem, making a decision, making a mistake and understanding its consequences - sits at the top.

In the context of cybersecurity, this difference is measurable. A study published in 2025 in the International Journal of Science and Research Archive shows that behavioral training produces a 48% increase in phishing email detection and a 36% reduction in policy violations, compared to marginal results from passive training (IJSRA, 2025).

The same study concludes that behavior-oriented programs make users six times less likely to click on a phishing link and seven times more likely to report a threat compared to traditional e-learning approaches.

The difference comes down to a simple mechanism: in an e-learning module, the employee learns that they should not click on a suspicious link. In a simulation, they click the link, see the remediation page explaining what they missed, and feel the social discomfort of having "failed." It is that emotion - not the slide - that anchors the reflex.

Reason 5: The Content Is Disconnected from Daily Reality

Open a standard cybersecurity e-learning module. You will find phishing examples with obvious spelling mistakes, clearly fake email addresses ("support@amazn-secure.xyz"), and scenarios that bear no resemblance to the employee's daily work.

This content was relevant in 2015. It is counterproductive in 2026.

AI-generated phishing emails are now grammatically flawless, personalized with company context, and written in perfect language. Hoxhunt (a phishing simulation vendor) reports that AI-generated phishing increased 14-fold between January and December 2025, jumping from 4% to 56% of total detected volume. AI phishing emails achieve a 54% click rate compared to 12% for traditional emails, and a credential submission rate of 33.6% compared to 7.5%.

Training your employees to spot spelling mistakes when AI no longer makes them is like teaching them to look out for pickpockets in a world of cybercriminals. The advice is technically true but practically useless - and worse, it provides a false sense of security: "No typos? Then it must be safe."

For the full picture on emerging threats: Malicious QR codes, voice deepfakes, smishing: new forms of phishing in 2026.

What the Data Shows: E-Learning Alone vs. a Combined Approach

Comparative studies converge. Here is what the data shows when annual e-learning is placed head-to-head with combined approaches (simulation + micro-learning + contextual remediation):

MetricAnnual e-learning aloneCombined approach (simulation + micro-learning)
Phishing click rate (before)33% (baseline)33% (baseline)
Click rate (after 90 days)25-28%15-20%
Click rate (after 12 months)20-25% (rises again after 6 months)Under 5%
Reporting rate7% (quarterly training)60%+ (continuous micro-learning)
Retention at 6 monthsBack to pre-training level80% retention with spaced reinforcement
Real completion (active attention)51% (49% don't engage)80%+ (3-5 minute modules)
Lasting behavior changeLow to none48% improvement in detection

Sources: KnowBe4 2025, Brightside AI 2025, IJSRA 2025, Cybersecurity Dive, Keepnet Labs.

The Fortinet 2025 Security Awareness and Training report, based on 1,850 IT and security leaders, confirms this finding: despite growing investments, the majority of organizations struggle to achieve real completion of training, and nearly 7 out of 10 leaders believe their employees still lack sufficient awareness (Fortinet, 2025).

The Verizon DBIR 2025 adds a detail that should concern every security manager: 8% of employees are responsible for 80% of security incidents. These are the "serial clickers," and annual e-learning does not reach them - because they score well on the quiz while continuing to click on suspicious links in real life.

The "Serial Clickers" Problem

These 8% are not negligent or unintelligent employees. They are often highly busy collaborators under pressure, processing dozens of emails per hour and clicking by reflex without taking the time to verify. They may be accountants, executive assistants, salespeople - roles where email volume is high and every message feels urgent.

E-learning does not solve their problem for two reasons:

  1. It treats everyone the same: the same 45-minute module for the employee who has never clicked on a phishing attempt and the one who clicks on every simulation. Only 7.5% of programs personalize training based on individual risk level (Brightside AI, 2025).
  2. It doesn't reach them at the right moment: the serial clicker does not need a theoretical course in January - they need a micro-remediation module within 30 seconds of clicking on a simulated phishing email, when the lesson can anchor itself in the emotion of the mistake.

Proofpoint adds to the picture with a complementary data point: 68% of employees admit to deliberately bypassing security policies, even though they are aware of the risks. This is not a knowledge problem - it is a behavior problem. And e-learning, by its nature, only addresses knowledge.

The analogy is straightforward: explaining traffic rules does not make drivers safe. You need speed cameras (simulations), tickets (remediation), and regular checkpoints (continuous training). E-learning is the driver's manual: useful for the exam, insufficient for the road.

The Textbook Case: 94% Completion, 100% Compromise

To understand why e-learning alone does not protect, let us examine a concrete case: an accounting firm with 35 employees in the Paris region, reconstructed from reports published by Cybermalveillance.gouv.fr (France's national cyber-threat awareness platform) and industry data.

The Setup

The firm had deployed a cybersecurity e-learning module through its LMS in September 2024. Forty minutes of content covering phishing, passwords, and client data protection. Completion rate: 94%. Average quiz score: 87%. The report had been presented to the firm's managing partner, who archived it with satisfaction.

In February 2025, a payroll associate received an email purportedly from URSSAF (the French social security contributions agency). The subject line: "Contribution rate modification: action required before 02/28." The email was written in flawless French, used the URSSAF logo, and contained a link to a form for "updating company details." The associate clicked, entered her URSSAF credentials, then entered her professional email credentials when the form requested "identity verification."

Within 4 hours, the attacker accessed the associate's mailbox, identified exchanges with the firm's clients, and sent legitimate-looking emails from her address to clients with updated bank details. Three clients wired a total of 87,000 euros to the attacker's account before the firm detected the incident.

Why the Training Failed

The phishing email matched none of the examples in the e-learning module. No spelling mistakes, no suspicious email address (the attacker used a recent but credible domain), no direct wire transfer request. The module had taught the associate to spot obvious red flags - not to question a well-written professional email in a plausible business context.

The training was 5 months old. In line with the Ebbinghaus forgetting curve, the associate had forgotten most of the content. And she had never been exposed to a phishing simulation - she had never had the opportunity to put what she learned into practice.

The total cost of the incident (investigation, CNIL notification - France's data protection authority, partial client compensation, remediation measures, loss of client trust) exceeded 150,000 euros - 300 times the cost of the e-learning module.

The Compliance Trap: Training the Auditor, Not the Employee

Compliance as the Goal, Not the Means

The primary driver behind deploying cybersecurity e-learning in companies is compliance. An auditor asks: "Are your employees trained in cybersecurity?" The LMS produces a report: 94% completion. The auditor validates. The cycle starts again the following year.

This model produces a compliance facade that satisfies regulatory requirements on paper but does not protect the company in practice.

Gartner stated this bluntly: "The baseline capabilities of cybersecurity e-learning training solutions achieve regulatory and audit compliance, and rudimentary behavior change, but fail to produce meaningful changes in human risk" (Gartner).

Compliance Does Not Protect: The Evidence

The history of cybersecurity is littered with compliant-but-breached companies:

  • Equifax was PCI DSS compliant when the breach exposed data of 143 million customers.
  • Target was PCI DSS compliant when 100 million customers were affected.
  • MGM Resorts had a security awareness program when a simple phone call from a Scattered Spider group member to the IT helpdesk triggered a ransomware attack that cost $100 million (Int-Comp.org, 2025).
  • Marks & Spencer (April 2025) suffered an attack that paralyzed online orders, contactless payments, and inventory management - "not a sophisticated hack, but the result of credential theft via SIM swapping and helpdesk impersonation."
  • Evolve Bank and Trust: a single click on a malicious link exposed 33 terabytes of data.

In every one of these cases, employees had completed training. The module was done. The LMS showed completion. The auditor had signed off.

The Statistical Reality: Training Alone Does Not Reduce Breaches

Global data confirms that e-learning alone does not translate into a measurable reduction in incidents:

  • The UK Cyber Security Breaches Survey 2025 reports that 43% of British businesses experienced a cybersecurity incident over the past 12 months - despite rising training rates (GOV.UK, 2025).
  • Gartner finds that from 2013 to 2021, the percentage of breaches linked to social engineering stayed around 20%, with no notable decline - even as training investments grew year after year.
  • The FBI reports that losses from cyberattacks reached $16 billion in 2024, up 33% from the previous year (IC3 Internet Crime Report, 2024).
  • Two thirds of CISOs (66%) report having experienced a material loss of sensitive data over the past year - up from 46% in 2024 (Proofpoint, 2025).

The conclusion is clear: training is not enough. The training method is what makes the difference.

NIS2 Changes the Game: Training Must Be "Effective"

The European NIS2 directive (Network and Information Security Directive 2) marks a turning point. Unlike previous regulations that simply required "training," NIS2 mandates that organizations implement effective cybersecurity measures - including training.

Article 20.2 of NIS2 requires management to personally undergo regular training and "encourage employee training." Article 21 details risk management measures, including "training and basic cyber hygiene practices" and "policies and procedures for incident handling." The text does not merely demand a completion certificate - it requires that training effectively reduces risk (DataGuard).

The penalties are dissuasive: up to 10 million euros or 2% of global annual revenue for essential entities, and 7 million euros or 1.4% of revenue for important entities. Directors can be held personally liable and temporarily barred from managerial functions. See our NIS2 guide for SMEs for a full breakdown of the obligations.

In France, the transposition of NIS2 is underway. The scope is broad: NIS2 covers approximately 15,000 new French entities across 18 sectors (energy, transport, healthcare, water, digital services, food, public administration, etc.). Thousands of SMEs and mid-sized companies that were not covered by NIS1 now fall within scope.

For these companies, the risk is concrete: a NIS2 auditor will not settle for an LMS report showing 94% completion. They will ask for effectiveness metrics: what is your employees' click rate on simulations? What is the reporting rate? How is the program adapted to current threats? Has management participated in the training?

Companies that stick to annual e-learning risk being found non-compliant - not because they did not train, but because they did not train effectively.

The True Cost of Ineffective E-Learning

You Pay Twice: The Platform and the Breach

A cybersecurity e-learning module costs between 3 and 10 euros per employee per year. For a 50-person company, that is a budget of 150 to 500 euros. Reasonable.

Except that budget does not buy security - it buys compliance. If an employee clicks on a phishing email despite their training (a 20-25% probability with annual e-learning alone, versus under 5% with a combined approach), the cost of the incident dwarfs the training budget by several orders of magnitude.

The Fortinet 2025 report indicates that 52% of organizations that experienced a cyber incident estimate the cost at over one million dollars - up from 38% in 2021 (Fortinet Skills Gap Report, 2025). For a French SME, the average cost of a business email compromise exceeds 125,000 euros (How much does a cyberattack cost an SME?).

The Hidden Cost: Wasted Time

Deloitte estimates that employees dedicate only 1% of their workweek - roughly 24 minutes - to formal training. When those 24 minutes are spent on a passive e-learning module whose content will be 80% forgotten within a week, the company wastes both the employee's time and the training budget.

Organizations that invest in traditional e-learning alone see up to 80% of their training budget wasted on content that is never truly absorbed (SHIFT eLearning).

The Real ROI: E-Learning vs. a Combined Program

For a 50-employee SME, let us compare the real return on investment of both approaches over 12 months:

Annual e-learning approach:

  • Module cost: 5 EUR x 50 = 250 EUR/year
  • Click rate after 12 months: 20-25%
  • Probability that at least one employee clicks on a real phishing email during the year: very high (50 employees x 20% click rate x dozens of phishing emails received per year)
  • Average incident cost: 125,000 EUR
  • Weighted total cost (factoring in incident probability): 250 EUR + high residual risk

Combined approach (simulation + micro-learning + remediation):

  • Monthly cost: 3 EUR x 50 = 150 EUR/month, or 1,800 EUR/year
  • Click rate after 12 months: < 5%
  • Probability of a phishing-related incident: reduced by 70-86%
  • Total cost: 1,800 EUR + low residual risk

The cost difference is 1,550 EUR per year. The difference in protection is a factor of 4 to 5 on the click rate. Relative to the average incident cost (125,000 EUR), the combined program's return on investment turns positive with the very first avoided phishing click.

Put differently: it takes just one simulation preventing one employee from clicking on one real phishing email for the program to pay for itself 70 times over.

What If the Problem Is the Wrong Metrics?

Traditional e-learning measures the wrong indicator. Completion rate measures content distribution, not skill acquisition. Quiz scores measure short-term memorization, not behavior change.

Gartner puts it plainly: "Traditional metrics like participation, course completion, and phishing simulation click rates are useful for measuring participation, but on their own, they do not prove that the program is modifying behaviors in ways that reduce cyber risk" (Cybersecurity Dive / Gartner).

The metrics that truly matter:

  • Reporting rate (how many employees forward a suspicious email to the security team) - not click rate.
  • Time to report (how quickly a phishing email is identified and escalated).
  • Residual risk reduction measured through realistic simulations - not quizzes.

What Gartner Recommends: From E-Learning to Security Behavior and Culture Programs (SBCP)

Gartner has named "Security Behavior and Culture Programs" (SBCP) as one of the major cybersecurity trends for 2024-2026. The concept marks a break from the traditional approach.

The SBCP model rests on a simple observation: cybersecurity training should not target knowledge, but behavior. It is not "does the employee know what phishing is?" that matters - it is "what do they do when they receive one?"

Gartner acknowledges that "in 2022, fewer than 5% of cybersecurity leaders had adopted emerging SBCP capabilities" - meaning 95% of programs were still stuck in traditional e-learning mode. This gap represents both a risk (for companies that do not act) and an opportunity (for those who adopt the model early).

The PIPE framework (Practice, Inform, Perceive, Evaluate) proposed by Gartner structures the transition:

  • Practice: simulations that put the employee in real-world situations.
  • Inform: short, relevant content adapted to context - not a one-off annual program.
  • Perceive: building a culture where security is seen as everyone's responsibility, not just an IT concern.
  • Evaluate: measuring behavior change, not module completion.

This framework validates an approach that phishing simulation platforms have been implementing for years, but one that remains uncommon among French SMEs, where annual e-learning still dominates.

The Alternatives That Work in 2026

Phishing Simulation with Contextual Remediation

Phishing simulation is the pedagogical opposite of e-learning. Instead of showing theoretical examples, it places the employee in front of a realistic attack - a personalized email, a QR code in a PDF, an SMS impersonating a delivery service - within their usual work environment.

If the employee clicks, they are immediately redirected to a 2 to 3-minute micro-module explaining what they missed and how to spot it. This is "contextual remediation": the training arrives at the exact moment when the employee is most receptive - when they have just made the mistake.

The data shows this approach works:

  • Organizations that run regular simulations reduce their click rate from 33% to under 5% within 12 months (KnowBe4, 2025).
  • The reporting rate climbs from 7% to 60% or more within a year (Brightside AI, 2025).
  • Behavior-oriented programs make users six times less likely to click and seven times more likely to report (IJSRA, 2025).

The mechanism is that of learning through error, documented in cognitive science: the emotion tied to failure (embarrassment, surprise) anchors the memory more deeply than a neutral slide. See how nophi.sh builds these reflexes through simulation.

What Does a Well-Designed Simulation Look Like?

To illustrate the difference from e-learning, here is the flow of a typical phishing simulation program:

Week 1: The accounting department receives an email impersonating Chronopost (a major French parcel service), notifying them of a package awaiting delivery with a 2.95 EUR shipping fee. The email is personalized with the employee's name and uses a domain visually similar to chronopost.fr. Employees who click immediately see a 90-second remediation page explaining the 3 signals they missed: suspicious sender domain, unexpected payment request, artificial urgency.

Week 3: The HR department receives an email impersonating an internal message from the IT director, with a QR code to scan to "update the HR portal." Employees who scan receive a 2-minute micro-module on quishing (QR code phishing).

Week 5: The sales team receives an email from a "prospect" with a PDF attachment containing a malicious link. The content is written in flawless professional language, generated by AI. Employees who click the link in the PDF receive a micro-module explaining why attachments from unknown contacts must be verified.

After each simulation, results are aggregated by team (never by individual) and shared in a supportive manner: "This month, the sales team has a 45% reporting rate - up 12 points from last month. The accounting team leads with 62%." The dynamic of collective progress replaces the fear of individual failure.

Adaptive Micro-Learning: 3 to 5 Minutes, at the Right Time

Micro-learning replaces 45-minute modules with 3 to 5-minute capsules, delivered regularly and adapted to each employee's risk profile.

Studies consistently confirm its advantages:

  • 80% completion rate compared to 12-15% for traditional self-directed modules (eLearning Industry).
  • 80% content retention compared to 50% for longer sessions (LearningTech, 2024).
  • 50% more engagement compared to traditional e-learning (Journal of Applied Psychology).
  • Modules completed 40% faster than traditional training (Keepnet Labs).
  • Spaced reinforcement, which revisits concepts at increasing intervals, improves retention from the very first weeks.

Micro-learning works because it respects the real constraints of work life. An employee does not have 45 minutes to spare for a module, but they have 3 minutes between meetings. And those 3 minutes, repeated every week, produce a cognitive anchoring that 45 annual minutes can never achieve.

The adaptive model goes further: it identifies at-risk employees (those who click on simulations, those who never report) and offers them reinforced content, while the most vigilant employees receive lighter content. The Verizon DBIR 2025 shows that 8% of employees cause 80% of incidents, yet only 7.5% of programs personalize training based on individual risk level. Adaptive micro-learning closes this gap.

Gamification and Team Competitions

Gamification (points, badges, leaderboards, challenges) makes training engaging instead of an administrative chore.

The results are well documented:

  • Gamified experiences achieve completion rates of 90% compared to 25% for non-gamified training (Continu, 2025).
  • 83% of employees who completed gamified training report feeling more motivated at work, versus a majority who say they feel "bored or disengaged" with non-gamified training (TalentLMS).
  • Engagement increases by 60% with gamification elements, and retention improves by 90% when learning is tied to interactive challenges (Keepnet Labs data).
  • Behavior change is 76% more likely when training includes competitive elements.
  • An energy sector company saw security training engagement jump from 10% to 70% after introducing gamified phishing challenges.

The psychological mechanism is well-known: competition between teams (not individuals, to avoid stigmatization) activates the dopaminergic reward circuit. The employee is no longer doing "mandatory training" - they are participating in a team challenge where their department tries to beat the record of the one next door.

A study published in 2024 in the Journal of Business Research (ScienceDirect) analyzed the perceptions of 1,178 employees in an international company following gamified information security training. The results show that gamification improves perceived information quality, system quality, and learning enjoyment - three factors that increase satisfaction and perceived usefulness. Concretely, employees who completed the gamified version click less on phishing and adopt more positive security behaviors than those who completed the standard version.

The Cyber Shield Game, evaluated in a 2024 study from the International Journal of Serious Games, produced a 51.4% improvement in cybersecurity knowledge as measured by pre/post-game questionnaires - a result that passive e-learning cannot achieve. See nophi.sh's gamified simulations.

Continuous Training vs. One-Off Training

The difference between the two models is structural:

One-off training (annual e-learning):

  • One event per year
  • 45-60 minutes of content
  • No reinforcement
  • Forgotten in 6 weeks
  • Metric: completion

Continuous training:

  • Weekly or biweekly micro-modules
  • 3-5 minutes per session
  • Monthly simulations with remediation
  • Spaced repetition
  • Metrics: reporting rate, detection time, risk reduction

Brightside AI data summarizes the expected trajectory: 30-40% improvement in the first 3 months, 50-60% at 6 months, and 70-86% at 12 months - but only with a continuous program. One-off training sees its results erode from the second month onward.

How to Tell If Your Current Training Is Working

Before replacing your program, you need to evaluate its real effectiveness. Here is an 8-question diagnostic that any security manager or SME leader can apply.

The Diagnostic Framework

1. What is your click rate on phishing simulations? If you do not run simulations, you do not know if your training is working. Period. A rate above 15% after 6 months of training indicates an ineffective program. A rate below 5% after 12 months is the target.

2. What is your reporting rate? This is the most revealing metric. A reporting rate below 20% means your employees have not internalized the reflex to escalate suspicious emails. High-performing programs reach 60% or more.

3. Is your training deployed more than once a year? If the answer is no, your training is almost certainly ineffective after 6 weeks. The forgetting curve spares no one.

4. Does the content reflect current threats? If your module still uses examples of emails with spelling mistakes as the primary warning sign, it is obsolete. In 2026, phishing is grammatically perfect.

5. Is the training personalized based on risk profile? If everyone receives the same module, you are under-training the most vulnerable and over-training the most vigilant.

6. Do you measure anything beyond completion rate? If your only metrics are completion rate and quiz score, you are measuring distribution, not effectiveness.

7. Does leadership undergo the same training as employees? NIS2 requires it. And executives are priority targets for spear phishing and deepfake vishing.

8. Can your employees report a suspicious email in fewer than 2 clicks? If the reporting process involves finding an email address, composing a message, and manually forwarding the email, the reporting rate will stay low. A "Report" button built into the email client is the minimum.

Interpretation

  • 0 to 2 "yes" answers: your program is a compliance exercise, not a security one. A complete overhaul is recommended. You are in the same situation as the majority of French SMEs: an annual e-learning module that does not protect. The risk of an incident is high, and your NIS2 compliance is probably insufficient if you fall within scope.
  • 3 to 5 "yes" answers: you have foundations, but with critical gaps. Identify the "no" answers and address them as priorities. The most impactful step is usually adding monthly simulations - this is what produces the fastest results on click rate.
  • 6 to 8 "yes" answers: you are on the right track. Optimize your metrics and increase frequency. Focus on the reporting rate (the most mature metric) and on personalization for at-risk employees.

The Ultimate Test

There is one simple test to evaluate your program: send a realistic phishing simulation to your entire company, without advance notice. Measure two things: how many employees click, and how many report. If more than 15% click and fewer than 20% report, your current program is not working - regardless of the quiz score or completion rate displayed by the LMS.

This test costs a few hundred euros and takes less than an hour to set up. It will tell you more about your actual security posture than any LMS report.

From E-Learning to a Full Awareness Program: The Migration Path

The good news: you do not need to throw everything out. E-learning has its place in an awareness program - but as a component, not the whole thing. For a month-by-month action plan: Cybersecurity training guide for SMEs.

What to Keep from E-Learning

  • The fundamentals: an introductory module for new hires is still useful for conveying the basics (password policy, data classification, reporting procedure).
  • Compliance documentation: the LMS remains the reference tool for tracking participation and producing audit reports.
  • Reference content: summary sheets accessible at any time in the LMS serve as "cheat sheets" - provided they are updated regularly.

What to Add

  • Monthly phishing simulations with varied scenarios (email, QR code, SMS) and progressive difficulty.
  • Contextual micro-learning (2-3 minutes) triggered after each simulation - for employees who click as well as those who report.
  • Behavioral metrics: reporting rate, time to report, recidivism on simulations.
  • An adaptive program: reinforced content for the 8% of high-risk employees, lighter content for the most vigilant.
  • A gamified component: team leaderboards, monthly challenges, recognition for top reporters.

The Migration Timeline

Month 1: Assessment

  • Conduct an audit of your current program using the diagnostic framework above.
  • Run a first phishing simulation to establish your baseline click rate.
  • Identify your serial clickers.

Month 2-3: Setup

  • Keep the existing e-learning as an onboarding module for new hires.
  • Deploy a monthly simulation program with contextual remediation.
  • Introduce weekly 3-minute micro-modules (one topic per week: email phishing, QR codes, passwords, social engineering, etc.).
  • Set up the "Report" button in the email client if not already done.

Month 4-6: Optimization

  • Measure click rate and reporting rate progression.
  • Activate the adaptive program: reinforced content for employees who keep clicking.
  • Introduce team challenges and gamified leaderboards.
  • Vary simulation vectors (add QR codes, SMS).

Month 7-12: Maturity

  • Target a click rate below 5% and a reporting rate above 50%.
  • Include leadership in simulations and training (NIS2 compliance).
  • Establish a quarterly report with behavioral metrics for leadership.
  • Plan annual scenario rotation to prevent habituation.

Compare the costs and ROI of a complete program.

The French Context: SMEs Still Under-Trained

French data confirms the urgency of changing the model. The 2025 CESIN (Club des Experts de la Securite de l'Information et du Numerique - France's leading cybersecurity professionals association) barometer reports that 60% of French companies consider phishing to be the most common attack vector. Cybermalveillance.gouv.fr (France's national platform for cyber-threat awareness and assistance) reports a continuous rise in phishing reports, with increasingly targeted campaigns aimed at the French business fabric (SMEs, independent professionals, local government).

The problem is compounded by massive data breaches that hit France in 2024-2025: France Travail (the national employment agency - 43 million records), Viamedis/Almerys (health insurance processors - 33 million Social Security numbers), Free (telecom provider - 19 million accounts), Chronopost (parcel service - 210,000 customers). This data allows attackers to personalize phishing emails with the target's name, address, employer, and sometimes Social Security number - making attacks nearly undetectable by an employee trained only to spot "generic" emails.

In this context, standard e-learning with its crude phishing examples and generic advice is not just insufficient - it is counterproductive: it gives employees the illusion that they know how to recognize phishing, when the attacks they will actually receive are far more sophisticated than anything the module showed them.

The most exposed sectors in France are the same as everywhere: healthcare (high-value medical data), local government (limited security resources, sensitive citizen data), accounting and law firms (client financial data), and retail (payment data). In each of these sectors, annual e-learning remains the norm.

Funding in France: OPCO and Qualiopi

For French SMEs, cybersecurity training can be funded through OPCOs (Operateurs de Competences - French skills development funding bodies). Since January 1, 2022, only Qualiopi-certified training providers are eligible for OPCO funding.

Key points to keep in mind:

  • Cybersecurity is a priority area for most industry branches in 2025-2026, which increases the chances of coverage.
  • Funding covers qualifying training programs: a 45-minute off-the-shelf e-learning module does not always meet the criteria. A structured awareness program with measurable objectives does.
  • Submit your application in Q1: OPCO budgets are often depleted by Q4. Companies that apply early maximize their chances of 100% coverage.
  • Combine funding sources: if the OPCO covers only part of the cost, an employer top-up on the CPF (Compte Personnel de Formation - France's personal training account) can fill the gap.

Qualiopi certification does not guarantee the pedagogical quality of a training program - it guarantees compliance with a framework of 7 criteria and 32 indicators covering the training process. A Qualiopi-certified provider can perfectly well offer a 45-minute passive e-learning module. The label is not a sufficient criterion for evaluating program effectiveness.

FAQ

Our e-learning is Qualiopi-certified (French quality standard). Isn't that enough?

No. Qualiopi certification guarantees that the training provider meets a quality framework covering processes (intake, objectives, resources, follow-up, evaluation). It does not guarantee that the training produces measurable behavior change in your employees. A Qualiopi-certified provider can offer a 45-minute passive e-learning module that will be forgotten in 6 weeks. The real question is not "is our training certified?" but "is our phishing simulation click rate below 5%?"

E-learning is free with our Microsoft 365 / Google Workspace suite. Why pay more?

The awareness modules included in office suites are a good starting point, but they are generic (not adapted to the French context: Ameli, Chronopost, ANTAI), rarely updated with recent threats (quishing, deepfakes, AI phishing), and not personalized to each employee's risk profile. These modules cost nothing, but their effectiveness is proportional. For comparison, a phishing simulation with contextual remediation costs between 2 and 5 euros per employee per month - or 120 to 300 euros per year for a 50-person company. Compare that amount to the average incident cost (125,000 euros for an SME) to evaluate the return on investment.

Our employees already complain about too much training. How do we add cybersecurity?

This is exactly the problem that micro-learning solves. Instead of adding a long session to an already packed schedule, you replace it with 3-minute capsules, twice a month. The total training volume is lower than an annual e-learning module (about 72 minutes per year versus 45-60 minutes in a single session), yet the effectiveness is radically better thanks to spaced reinforcement. The employee does not "sit down for training" - they complete a micro-module in 3 minutes between tasks, just as they would read an email.

Won't phishing simulations stress out employees?

Stress from phishing simulations is a valid concern. Well-designed programs follow a few principles: no individual sanctions (names never displayed publicly), supportive and educational remediation (no blame, just explanation), and results presented by team, not by person. The goal is not to trap employees but to build a vigilance reflex. Studies show that the majority of employees come to appreciate simulations after a few months - they see them as practice, not as a test. The real stress is being the employee who clicked on the phishing email that compromised the company.

How long does it take to see results?

Industry data shows a predictable progression: 30-40% improvement in click rate within the first 3 months, 50-60% at 6 months, and 70-86% at 12 months with a continuous program (KnowBe4, Brightside AI). The reporting rate improves more slowly but more durably: expect 6 months to go from under 10% to over 30%, and 12 months to reach 50-60%. These figures assume a program combining monthly simulations and micro-learning - annual e-learning alone will not produce these results.

Does NIS2 require us to change our training program?

NIS2 does not mandate a specific teaching method. It requires cybersecurity measures to be "effective" and that management regularly participates in training. If your current program is limited to annual e-learning with no simulations, no behavioral effectiveness measurement, and no management participation, it probably does not meet the spirit of NIS2. The penalties (up to 10 million euros or 2% of global revenue) are reason enough not to take that risk. A program combining e-learning, simulations, and micro-learning, with risk reduction metrics, provides a solid compliance foundation.

Conclusion

Cybersecurity e-learning is not useless. It conveys foundational knowledge, provides a compliance baseline, and introduces core concepts. What is useless is believing that a 45-minute module once a year protects your company against attacks that evolve every week.

The numbers speak for themselves: 90% of companies train, but 70% of trained employees engage in risky behavior (Gartner). 49% of employees do not actually follow mandatory training. Annual e-learning alone leaves a click rate at 20-25% after 12 months - five times higher than a combined program.

Effective cybersecurity training in 2026 combines realistic phishing simulations that test behavior under real-world conditions, adaptive micro-learning that reinforces knowledge at the right moment, and behavioral metrics that measure reflex change - not module completion.

The shift from e-learning to a full awareness program is not a six-figure digital transformation project. It is a change in method, achievable in 3 months, fundable through OPCOs for French SMEs, with results visible from the very first simulation campaign.

Companies that have made this shift report a 70 to 86% improvement in click rates within 12 months (KnowBe4, 2025), a reporting rate above 60% (Brightside AI, 2025), and a measurable reduction in incident risk. Conversely, those that stick with annual e-learning continue to see 20 to 25% of their employees click on simulated phishing, and suffer the financial and operational consequences of real attacks.

The choice is between training for the audit report and training for real protection. The test is simple: if a phishing email arrives tomorrow morning, how many of your employees will click, and how many will report? If you do not know the answer, your program is not working.

Create an account and launch your first simulation - simulation, micro-learning, and remediation included. Measurable results within 90 days.

For further reading: training vs. simulation: a detailed comparison | phishing simulation guide | features | pricing

Related articles

How to Train Your Employees on Cybersecurity: A Complete Guide for SMBs

A practical guide to building an effective cybersecurity awareness program. KPIs, frequency, budget, and mistakes to avoid for small and mid-sized businesses.

Cybersecurity training vs phishing simulation: what's the difference, and what actually works?

E-learning, in-person workshops, phishing simulation: an objective comparison of security awareness methods with effectiveness data and ROI for SMBs.

Does Your Cyber Insurer Require Proof of Employee Training?

Cyber insurers now demand proof of security awareness training. How your training program lowers premiums and protects your claims.