Humans are the biggest risk to an organization’s cybersecurity posture, and it might be a bigger risk than many realize. According to research from Elevate Security, human behavior had a direct role in 88% of total losses in the largest cybersecurity incidents over the past five years and about two-thirds of major data breaches are the result of humans.

To eliminate—or at least decrease—the human risk element, organizations have relied on security awareness training. After all, it’s hard to prevent what you don’t understand. Many organizations focus their education on detecting phishing and social engineering tactics. But how effective is security awareness training? It might not be as impactful as we thought.

Elevate Security’s study examined real-world attack data, including phishing, email security and malware, and what the research found was, except for slightly decreasing phishing click rates, security awareness training has no significant impact on thwarting attacks.

The most surprising discovery is that an increase in attack simulations and training can actually be counterproductive. A user who has sat through five or more training sessions is more likely to click on a phishing link than someone with no training.

“The data found conclusively that traditional security awareness training and mock phishing exercises have little effect on protecting the organization. These one-size-fits-all programs fulfill compliance and audit purposes, but aren’t doing a good job at actually reducing risk,” said Masha Sedova, co-founder and chief product officer of Elevate Security, in a formal statement.

Too Much of a Good Thing?

The report found that while click rates of those with three rounds of training drop significantly from those with no training, security awareness training will never get users to a zero click rate—not even close, in fact. Click rates never seem to fall below 5%. Is too much training too much of a good thing? It seems so. Perhaps after five sessions, users feel more confident about their ability and aren’t as careful?

“Effective programs need to find the right balance between user discernment and desensitization because over-training and over-simulation are valid concerns. So, while training and simulation might help some users, they won’t solve the human risk. That means we need to find other ways to address it,” according to the report.

Look at Individuals, Not the Group

If your organization looks at security posture in terms of groups or teams—i.e., the IT department performs better than HR or legal in cybersecurity awareness—you might want to end that practice. You may also want to eliminate any group training sessions. When it comes to security awareness, it is all about the individual’s performance.

For example, when phishing simulations were done in isolation, only 6% of individuals were hooked by the scam. Increase the number of simulations and participants and that number jumps to 40%. And because click rates never reach zero even with training, someone in your organization will fall for the phish. That’s working with simulated phishing attacks in a training situation. Real phishing attacks produce a different outcome.

The problem with simulated attacks is they follow a scheduled rhythm that doesn’t necessarily match the reality. Simulated attacks tend to be sent early in the morning; real phishing appears to peak nearer to closing time. Users tend to interact with a phishing email when it is sent, so they’re more likely to click on something sent at 4 p.m. as it lands in the inbox rather than one that was sent at midnight and was in the inbox when the user first logged on in the morning. This could be impacting the reliability of the training sessions and simulations.

Elevate Security is just beginning this research into the effectiveness of security awareness training and human behavior, but on the surface, it appears that education needs to do a better job of mimicking real-time attacks. The anticipated timing of simulated email could be impacting behavior, as well as training that looks at the group rather than the individual.

But most importantly, the study concluded, “Don’t rely on security awareness training or more phishing simulations to address human risk because it’s more than just a knowledge problem.”