The 2025 Verizon DBIR has a number that should change how you think about security training budgets.

The median phishing click rate after years of repeated, ongoing simulation training: 1.5%.

The Verizon 2025 DBIR tracked over 22,000 incidents across 139 countries. The researchers stated it plainly: the failure rate was unaffected by training.

Not "slightly improved." Not "trending in the right direction." Unaffected.

If your organization runs quarterly phishing simulations and your click rate is 1%, you have not solved the problem. You have measured it. Those are different things.