There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour believable.

4140 Parker Ave, St. Louis, MO 63116


      Why Security Training Doesn't Stick: Repetition and Safe Failure

      Without repetition, reflection, and safe failure, training evaporates within weeks. The learning science behind training that changes behavior.

      Shortcuts:

      Why your security training doesn't stick, and what actually works

      Many organizations train their employees once a year and hope for the best. The science of learning tells a different story: without repetition, reflection, and safe failure, training evaporates within weeks.

      In this article:

      The forgetting curve: why knowledge fades fast

      What "safe failure" means in cybersecurity training

      The three learning principles that actually change behavior

      How to redesign your training program today

      The forgetting curve: knowledge has a half-life

      In the 1880s, German psychologist Hermann Ebbinghaus mapped how quickly humans forget new information without reinforcement. His findings, now called the Ebbinghaus forgetting curve, show that within a week of learning something new, most people retain less than a quarter of it.

      For cybersecurity training, this is a critical problem. An annual all-hands session, however well designed, is largely ineffective by the time a phishing email arrives three months later. The employee who passed the quiz in January has forgotten most of it by April.

      The solution is not better content. It is better timing and structure.

      You don't become a good driver by reading a manual. You learn through practice, feedback, and repetition. Cybersecurity training works exactly the same way.

      Safe failur

      What "safe failure" means and why it works

      Safe failure is the practice of letting people make mistakes in a controlled environment with no real consequences, and then immediately showing them what they got wrong and why.

      In cybersecurity, this looks like a phishing simulation: a realistic fake phishing email sent to an employee. If they click the link, nothing bad actually happens. Instead, they see an immediate, non-judgmental explanation of the red flags they missed. That moment, the surprise, the mild embarrassment, the instant feedback, is powerful. It creates exactly the kind of emotionally charged learning experience that converts short-term memory into lasting behavioral change.

      Research in learning science consistently shows that people who learn from their own mistakes retain information far better than people who are simply told what to do. Failure, in a safe environment, is a feature, not a bug.

      Three principles that change behavior long-term

      Spaced repetition

      Revisiting content at increasing intervals, rather than all at once, dramatically strengthens retention. The spacing effect has been replicated in study after study since Ebbinghaus.

      Micro-learning

      Short, focused lessons of under five minutes reduce cognitive overload and are completed at far higher rates than long modules. The brain absorbs more when it isn't overwhelmed.

      Safe failure

      Simulated attacks let people experience mistakes without real consequences. The emotional salience of "I nearly fell for that" creates memory traces that passive learning never can.

      Why cognitive overload kills training effectiveness

      Traditional security training often tries to cover everything in one go: phishing, passwords, GDPR, device security, data handling, all in a single 45-minute session. This does not just reduce retention; it actively harms it.

      Cognitive load theory, developed by educational psychologist John Sweller, shows that working memory has a strict capacity limit. When a training session exceeds it, the brain starts discarding information to cope. The learner finishes the course, clicks "complete," and retains almost nothing.

      Micro Training solves this by covering one topic at a time, at the moment it is most relevant, keeping content within the brain's processing capacity.

      Annual training vs. continuous learning

      Annual training: one long session per year, the same content for every employee, knowledge that fades within weeks, no feedback loop on real behavior, and completion as a checkbox rather than a change.

      Continuous learning: short lessons delivered regularly, personalized to each user's risk profile, spaced repetition that keeps knowledge active, simulations that reveal actual behavior, and measurable, lasting behavior change.

      How to redesign your training program

      1. Switch from annual to ongoing

      Replace your once-a-year session with a continuous program of short lessons delivered throughout the year. Even monthly five-minute modules dramatically outperform an annual 60-minute course.

      2. Run phishing simulations regularly

      Send realistic simulated phishing emails, and smishing texts, to your employees. When they fall for one, they get immediate, non-punitive feedback. Track who clicks over time and watch the rate drop.

      3. Apply spaced repetition to key topics

      Don't cover phishing once and move on. Revisit it after a week, then a month, then three months. The same applies to GDPR, password hygiene, and device security: return to them at increasing intervals.

      4. Measure behavior, not just completion

      Completion rates tell you who clicked through a course. Simulation click rates tell you who would actually fall for a real attack. Track the latter; it is the metric that matters for security. Nimblr's Awareness Level combines these signals into one measurable score.

      How Nimblr applies this

      Nimblr's platform is built around exactly these principles. Security awareness training is delivered in micro-training format: bite-sized, mobile-friendly lessons sent at the right intervals. Phishing and smishing simulations run continuously, with immediate teachable-moment feedback when someone clicks.

      Behind the platform is a team of behavioral experts and learning designers who have translated decades of behavioral research into a training system that measurably reduces risky behavior over time, not just on the day of the course. For a deeper look at the knowing-versus-doing gap, read why security awareness training must move beyond knowledge.

      Ready to move beyond the annual tick-box? Book a demo and see how Nimblr builds lasting security habits across your whole organization.

      FAQ

      FAQ: Repetition and safe failure

      What is the Ebbinghaus forgetting curve?

      The forgetting curve, described by Hermann Ebbinghaus in the 1880s, shows how quickly humans forget new information without reinforcement. Without review, most people retain less than 25% of new material within a week. Spaced repetition, reviewing content at increasing intervals, is the most effective countermeasure.

      What is spaced repetition in security training?

      Spaced repetition means revisiting key concepts at carefully timed intervals, for example immediately after learning, then after a day, a week, a month, and three months. Each review strengthens the memory trace, making the knowledge increasingly durable.

      Is it ethical to run phishing simulations on employees without telling them?

      Employees should know that simulations are part of the organization's security program, but not when a specific simulation is coming, as that defeats the purpose. The key is that simulations are non-punitive and followed by supportive feedback, not blame.

      How often should security awareness training run?

      Short, frequent touchpoints significantly outperform quarterly or annual sessions. For phishing simulations, regular campaigns using a mix of techniques and difficulty levels keep employees alert without creating fatigue.

      Author
      Nimblr Security Awareness
      Nimblr Security Awareness
      The Nimblr team is made up of people who are passionate about cyber security, developing training for real people, and tracking behavioral change.
      Get a personalized demo session at your convenience. Book a demo and let one of our experts walk you through Nimblr solution, the platform, and how quickly you can get started.