A recent Wall Street Journal article claimed that security awareness training fails to stop phishing — and that trained employees click phishing links just as often as untrained ones. It’s a provocative headline, and it taps into a frustration many CISOs feel: after years of running training programs, phishing still works.
But here’s the truth: training alone was never the solution.
The problem isn’t that employees can’t become more vigilant. The problem is that many organizations are still relying on outdated, one-size-fits-all training programs that measure success by completion rates — not by whether risk is actually reduced.
It’s time to move past compliance checkboxes and focus on what really matters: reducing human risk by influencing behaviors and strengthening identity and access controls.
Training click-through rates don’t tell the full story. Human Risk Management (HRM) takes a broader approach — it’s the practice of measuring, managing, and reducing cyber risk that originates from human behavior. HRM connects three critical data streams:
Together, these insights provide a 360° view of human risk, allowing security teams to focus on the riskiest 10% of employees — those who, according to the 2025 State of Human Cyber Risk Report, are responsible for 73% of risky behaviors across the business.
This context is what turns isolated phishing results into actionable intelligence, enabling security teams to prioritize interventions where they will have the biggest impact rather than blanketing the workforce with generic training that fails to address true risk.
We agree with the WSJ on one point: generic compliance training won’t move the needle. But that doesn’t mean training doesn’t work — it means it needs to evolve and remain part of the solution.
Modern security and awareness programs (SAT+) that start incorporating risk signals — like phishing simulation performance, behavioral nudges, and targeted interventions — represent a big leap forward from checkbox compliance. These programs can deliver:
While SAT+ programs make progress, they are still only a stepping stone to full Human Risk Management (HRM).
With a mature HRM approach, the outcomes become even more dramatic. According to Cyentia’s longitudinal research, organizations that adopt HRM practices cut their population of risky users by half in just 12 months — from 43% to 21% — delivering measurable, sustained risk reduction that drives real business impact.
These results aren’t just training metrics — they represent reduced exposure, faster detection, and measurable risk reduction that can be reported to executives and boards.
In other words: risk driven security and awareness programs can reduce risk, but HRM transforms it into a managed business function tied to the human element.
Phishing is not just a technical problem — it’s a cultural one. Employees need to know what to do when they see something suspicious, and they need to care enough to act.
That’s why Living Security focuses on building a security-first culture through tools like:
These initiatives transform security from a box-checking exercise into a shared mission — where managers coach their teams, executives model behavior, and every employee sees how their actions contribute to reducing risk.
One of the most important lessons from the WSJ article is that phishing failures are not an individual problem — they’re a systemic risk. Without visibility, security teams are left reacting to incidents instead of preventing them.
Organizations that implement Human Risk Management gain 5X greater visibility into risky and vigilant behaviors — not just phishing clicks, but logins, data sharing, reporting rates, and more. This expanded visibility allows security teams to:
When risk is visible — and managers are empowered to act — accountability becomes shared, prevention improves, and security culture gets stronger.
Phishing simulations and static awareness modules raise awareness — but they don’t provide the full picture of human risk and do little to change behavior when delivered out of context.
As we highlight in our HRM Buyer’s Guide, the next step is to connect identity, threat, and behavior data into a single model that drives targeted action and measurable outcomes. Without this context, organizations risk measuring activity instead of actual risk reduction.
If your goal is to prove a safer workforce, it’s time to move beyond training alone and embrace a full Human Risk Management strategy.
Want proof this works? See how a major healthcare organization switched from their previous provider to Living Security and transformed its HRM program in under one quarter. They automated scorecards, eliminated manual reporting, and expanded coverage to over 70,000 employees. Living Security’s platform ingested complex behavior data, integrated with their LMS to turn insights into real behavior change, and tied scorecards to true risk — not just phishing events. The result? A frictionless program that increased leadership confidence and proved measurable risk reduction at scale. Read the full success story.
The WSJ headline may grab attention, but it overlooks the evolution of security programs happening right now. The industry is moving beyond compliance and into risk-driven, data-informed programs that prove outcomes.
At Living Security, we believe that phishing can be defeated — not by more training alone, but by combining visibility, context, and culture-building to change how people think, act, and respond.
It’s not about proving employees took training. It’s about proving risk is going down. Reach out to us to learn how we can transform your workforce into a human firewall.