The 2025 Verizon DBIR has a number that should change how you think about security training budgets.
The median phishing click rate after years of repeated, ongoing simulation training: 1.5%.
The Verizon 2025 DBIR tracked over 22,000 incidents across 139 countries. The researchers stated it plainly: the failure rate was unaffected by training.
Not "slightly improved." Not "trending in the right direction." Unaffected.
If your organization runs quarterly phishing simulations and your click rate is 1%, you have not solved the problem. You have measured it. Those are different things.










