Frequent short training sessions produce significantly stronger retention than annual compliance marathons — the cognitive science is clear, even though the industry's specific marketing numbers are made up.
Most security awareness programs are built on a schedule that contradicts how the brain actually learns. Annual hour-long compliance training ignores over a century of cognitive research on memory, attention, and skill acquisition. The science is clear: distributed practice in short sessions produces stronger, longer-lasting learning than concentrated single sessions — and the gap is not small. Here's what the peer-reviewed research actually shows.
How fast do people really forget what they learn?
Without reinforcement, the brain loses access to new information rapidly — but not as fast as most vendors claim. Hermann Ebbinghaus established the forgetting curve in 1885 using nonsense syllables, and Murre and Dros replicated his results in PLOS ONE (2015), confirming the core pattern with 99% variance explained. After one day, relearning the same material took about 66% as long as the first time — a 33.7% savings score. After 31 days, savings dropped to 21.1%.
The critical nuance: Ebbinghaus measured relearning efficiency, not percentage recalled. The widely repeated claim that "we forget 70% within 24 hours" misreads his savings metric as a recall percentage — these are fundamentally different measurements. Additionally, Ebbinghaus studied meaningless syllables. His own experiments with meaningful content (Byron's poetry) showed dramatically slower forgetting. Security training content — phishing scenarios, password policies, social engineering tactics — is meaningful, contextualized information that decays more slowly than nonsense syllables.
What the forgetting curve does confirm: information presented once, without retrieval practice, degrades quickly. Information revisited at intervals moves into long-term memory. That finding has been replicated hundreds of times and remains the strongest argument for recurring training over annual sessions.
Does spaced practice actually produce better results than cramming?
Spaced practice (distributing learning across multiple sessions over time) consistently outperforms massed practice (concentrating learning into a single session) across every meta-analysis conducted on the topic. Dunlosky et al. (2013, Psychological Science in the Public Interest) reviewed ten learning techniques and rated only two as "high utility": distributed practice and practice testing. Both outperformed popular methods like highlighting, rereading, and summarization.
The effect sizes are meaningful. Donovan and Radosevich's 1999 meta-analysis in the Journal of Applied Psychology (63 studies, 112 effect sizes) found an overall weighted effect of d = 0.46 — meaning the average spaced-practice learner outperformed roughly 67% of massed-practice learners. Cepeda et al. (2006, Psychological Bulletin) synthesized 839 assessments from 317 experiments and found the effect was consistent across age groups, content types, and experimental designs.
Cepeda et al. (2008, Psychological Science) tested over 1,350 participants with study gaps up to 3.5 months and retention tests up to one year. In specific conditions, spacing doubled test scores at a four-week delay compared to massed practice. Their key finding for training design: the optimal gap between sessions is roughly 10–20% of the desired retention period. To retain knowledge for six months, space sessions approximately 2–4 weeks apart.
Source | Year | Studies reviewed | Key finding |
|---|---|---|---|
Donovan & Radosevich, J. Applied Psychology | 1999 | 63 studies | Overall effect d = 0.46 for spaced vs. massed practice |
Cepeda et al., Psychological Bulletin | 2006 | 317 experiments (839 assessments) | Spacing effect consistent across age, content, and design |
Cepeda et al., Psychological Science | 2008 | 1,350+ participants | Optimal gap ≈ 10–20% of desired retention interval |
Dunlosky et al., Psych. Science in the Public Interest | 2013 | 10 techniques reviewed | Distributed practice rated "high utility" — top tier |
Why does retrieval practice matter more than re-exposure?
Testing yourself on material produces stronger long-term retention than restudying the same material — even when restudying feels more productive. This is the testing effect, and it compounds the benefits of spacing.
Roediger and Karpicke (2006, Psychological Science) demonstrated a striking crossover: restudying outperformed testing when measured after five minutes, but testing dramatically outperformed restudying at one week. The repeated-test group forgot only 13% of the material, versus 56% for the repeated-study group. Rowland's 2014 meta-analysis in Psychological Bulletin (159 effect sizes) found retrieval practice produced a mean effect of g = 0.50 over restudying, rising to g = 0.73 when feedback was provided after retrieval attempts.
For security training, this means passive content consumption (watching videos, reading slides) is significantly less effective than active formats that require the learner to respond — identifying phishing indicators, classifying threat types, choosing the correct action in a scenario. The retrieval attempt itself strengthens the memory trace, independent of whether the answer is initially correct.
Is the "10-minute attention span" real?
No. Two independent academic reviews have traced this claim to its origins and found it unsupported by primary data.
Bradbury (2016, Advances in Physiology Education) conducted a thorough literature review and found that the most frequently cited source for the 10–15 minute decline — a 1978 manuscript by Hartley and Davies — was actually a study on note-taking that barely discussed attention. Of the studies that did attempt to measure attention directly, many relied on subjective outside observation with significant methodological limitations. Bradbury concluded that the available primary data do not support a fixed 10–15 minute attention limit, and that the biggest driver of attention variability was instructor quality, not session length.
Wilson and Korn (2007, Teaching of Psychology) reached the same conclusion independently, finding that the most commonly cited sources were secondary references and personal anecdotes, not empirical studies.
Bunce, Flens, and Neiles (2010, Journal of Chemical Education) used clicker-based self-reporting in chemistry lectures and found attention does not decline linearly after 10 minutes. Instead, it fluctuates in cycles throughout a session, with active learning segments (questions, demonstrations) significantly reducing subsequent lapses.
What IS supported: working memory can hold approximately four items simultaneously (Cowan, 2001, Behavioral and Brain Sciences) and unreheared information decays within roughly 20 seconds. This supports chunking content into focused segments — but the optimal segment length depends on complexity and learner expertise, not a universal biological timer.
What does the research say about optimal training video length?
Guo, Kim, and Rubin (2014, ACM Learning @ Scale) analyzed 6.9 million video watching sessions across four edX MOOCs — the largest empirical study on video engagement in online learning. Their primary finding: engagement peaked for videos shorter than six minutes. For videos longer than 12 minutes, median engagement dropped to approximately 3 minutes regardless of total video length.
Two important caveats apply. First, this study measured engagement (proportion of video watched and problem attempts), not learning outcomes. Students may learn effectively from longer content that they don't watch in one sitting. Second, the data came from self-paced MOOC learners who could leave at any time — a very different context from workplace training with accountability structures.
Evans et al. (2016) studied 44 MOOCs and found no negative effects of video length in the 5–20 minute range, suggesting the relationship between duration and learning is more nuanced than a hard six-minute cutoff. The safest conclusion: shorter is generally better for engagement, but the specific optimal duration depends on content complexity, learner motivation, and delivery format.
How does sleep affect training retention?
Sleep plays a direct, measurable role in memory consolidation — and this is part of why spacing works better than cramming. Diekelmann and Born (2010, Nature Reviews Neuroscience) established that slow-wave sleep supports the consolidation of declarative memories (facts, concepts, procedures) through hippocampal-neocortical replay, while REM sleep primarily benefits procedural and emotional memory.
Walker et al. (2002, Neuron) measured a 20% improvement in motor task speed after a single night of sleep with no additional practice — an improvement absent after an equivalent period of wakefulness. Murre and Dros (2015) observed a recovery bump in recall at the 24-hour mark in their forgetting curve replication, consistent with sleep-dependent consolidation.
The practical implication for training design: learning sessions separated by at least one night of sleep allow the brain to consolidate each session's content before the next one. This provides a neurological mechanism for the spacing effect and argues against multi-hour training marathons completed in a single sitting.
Does security awareness training actually reduce breaches?
The evidence is mixed and significantly more complex than vendor marketing suggests. A 2024 meta-analysis from Leiden University (Prümmer, van Steen, and van den Berg, Computers & Security, Vol. 150, 69 studies) found that security awareness training produces a strong effect on knowledge and attitudes (d = 1.02) but only a small, non-significant effect on actual security behavior (d = 0.36, CI [-0.09, 0.80]). Training reliably changes what people know and believe. It has not been reliably shown to change what people do.
Outcome measured | Effect size (d) | Statistical significance |
|---|---|---|
Security knowledge & attitudes | 1.02 | Significant |
Actual security behavior | 0.36 | Not significant (CI crosses zero) |
Source: Prümmer et al., 2024, Computers & Security, 69 studies
Vendor data tells a different story. KnowBe4's 2025 benchmarking report (67.7 million simulated phishing emails, 14.5 million users) shows baseline phish-prone rates of 33.1% dropping to 4.1% after 12 or more months of continuous training with simulated phishing — an 86% reduction. However, this is self-reported vendor data without independent control groups or peer review, and the use of simulated phishing rather than real attacks limits generalizability.
Ho et al. (2025, IEEE Symposium on Security and Privacy) studied anti-phishing training at a fintech company and found no evidence that annual training correlated with reduced phishing failures. They also found that users spent less than 30 seconds viewing embedded training content after clicking simulated phishing links.
ETH Zurich researchers (Lain et al., 2022; Schöni et al., 2024) tracked over 14,000 employees for 15 months and found that post-click embedded training did not improve phishing resilience — and in some cases increased overconfidence.
How quickly do security training effects decay?
Marshall et al. (2024, Computers & Security) reviewed 42 studies on phishing training and found that training effects sustained for a maximum of approximately six months, with only 12% of studies examining retention beyond eight weeks. One university study found cybersecurity knowledge gains of 12–17% that wore off within a single month.
The most actionable data point comes from the Verizon DBIR 2025: employees who had received training within the last 30 days were four times more likely to report phishing attempts (21% vs. 5% baseline). Click-rate reduction was less dramatic — roughly a 5% relative improvement per training event. This suggests training's greatest value may be in building reporting behavior rather than preventing all clicks — a fundamentally different success metric than most programs measure.
What does this mean for training design?
The cognitive science converges on several evidence-based principles for security awareness training design.
Space sessions across time, don't mass them. The spacing effect (d = 0.46–0.85 across meta-analyses) is one of the most replicated findings in psychology. Training effects in security specifically decay within 1–6 months, making monthly or biweekly reinforcement far more effective than annual compliance sessions using the same total time.
Require active retrieval, not passive viewing. The testing effect (g = 0.50–0.73) shows that requiring learners to recall, identify, or apply knowledge produces dramatically better retention than re-reading or re-watching the same content. Phishing simulations, scenario quizzes, and identification exercises leverage this mechanism.
Keep individual segments focused. Working memory limits (~4 chunks) and video engagement data (peak engagement under 6 minutes) support shorter, focused content segments. The exact optimal length depends on complexity, but the research supports keeping individual learning moments under 10 minutes for most content.
Leverage sleep consolidation. Separate training sessions by at least one day to allow sleep-dependent memory consolidation between episodes. This is part of why distributed practice works — the brain needs offline processing time.
Measure behavior, not just knowledge. The Leiden meta-analysis (d = 1.02 for knowledge, d = 0.36 for behavior) reveals a critical gap. Quiz scores after training demonstrate knowledge change, not behavior change. Phishing simulation click rates, reporting rates, and incident data are closer proxies for actual security improvement.
Principle | Supporting evidence | Effect size |
|---|---|---|
Space sessions over time | Donovan & Radosevich, 1999; Cepeda et al., 2006, 2008 | d = 0.46–0.85 |
Use retrieval practice with feedback | Rowland, 2014; Roediger & Karpicke, 2006 | g = 0.50–0.73 |
Keep segments focused and short | Guo et al., 2014; Cowan, 2001 | Peak engagement < 6 min |
Separate sessions by sleep | Diekelmann & Born, 2010; Walker et al., 2002 | 20% motor improvement overnight |
Measure behavior, not just knowledge | Prümmer et al., 2024 | Knowledge d = 1.02 vs. behavior d = 0.36 |
Active learning over passive lectures | Freeman et al., 2014, PNAS | d = 0.47; 55% higher failure rate in lectures |
What claims should you not believe?
Several statistics commonly repeated in security training marketing are either fabricated, misattributed, or significantly distorted from their original sources.
Common claim | Reality | Why it's wrong |
|---|---|---|
"We forget 70% within 24 hours" | Ebbinghaus found 33.7% savings at 24 hours | Conflates relearning efficiency with recall percentage |
"Microlearning improves retention by 80%" | No peer-reviewed source exists for this figure | Appears to be a marketing invention |
"Attention spans are 8 seconds" | Fabricated; traced to a dead-end citation chain | Originated from a Microsoft Canada marketing report citing an untraceable source |
"People can only focus for 10 minutes" | Debunked by Bradbury (2016) and Wilson & Korn (2007) | Based on flawed note-taking studies, not attention measurement |
"90% of breaches involve human error" | Verizon DBIR 2025 reports ~60% human element | The 90% figure traces to an unverifiable IBM report using a very broad definition |
"Training reduces phishing by 5x" | No controlled study supports this multiplier | Back-of-napkin math, not research |
Frequently asked questions
How often should security awareness training be conducted?
The optimal spacing depends on the desired retention interval. Cepeda et al. (2008) found the ideal gap between learning sessions is roughly 10–20% of the time you want knowledge retained. For year-round security awareness, this translates to sessions every 2–4 weeks. The Verizon DBIR 2025 found employees trained within the last 30 days were four times more likely to report phishing — the strongest frequency-specific data point available for security training specifically.
What is the ideal length for a security training session?
No single study definitively answers this for security content. The best available evidence comes from Guo et al. (2014), who found video engagement peaks under six minutes in online learning, and from Cowan (2001), who established working memory limits of approximately four items. Combined with the spacing effect literature, the research supports focused sessions under 10 minutes paired with active retrieval exercises — though the optimal length will vary by content complexity and delivery format.
Does security awareness training actually prevent breaches?
The evidence shows training reliably improves knowledge (d = 1.02) but has not been shown to reliably change behavior (d = 0.36, not statistically significant) according to a 2024 meta-analysis of 69 studies. Vendor data from KnowBe4 shows an 86% reduction in simulated phishing click rates after 12 months of continuous training, but this lacks independent verification. The most honest answer: training is a necessary layer in defense-in-depth, but it should not be relied upon as the primary control against human-targeted attacks.
Is annual compliance training enough?
No. Marshall et al. (2024) found security training effects decay within approximately six months at most, with one study showing knowledge gains eroding within a single month. Annual training means employees operate without reinforcement for most of the year. The cognitive science is unambiguous: distributed practice across multiple shorter sessions produces stronger retention than a single concentrated session of equal total duration.
What is the spacing effect?
The spacing effect is the finding that distributing learning across multiple sessions over time produces stronger long-term retention than concentrating the same amount of learning into one session. First documented by Hermann Ebbinghaus in 1885 and replicated in hundreds of studies since, it is one of the most robust findings in cognitive psychology. Dunlosky et al. (2013) rated it as one of only two "high utility" learning strategies out of ten reviewed.
