We have audited enough security awareness programmes to see a recurring pattern: year one shows enthusiastic uptake, real engagement, and measurable behavioural change. Year two regresses. Year three is often indistinguishable from no programme at all.
The cause is almost never the training content. It is the lack of variety, the absence of progression, and the fact that the programme stops being something the organisation pays attention to.
The fix has three components, in our experience: annual format rotation, genuine simulation refresh, and executive visibility.
On format rotation: long-form courses one year, micro-learning the next, scenario-based tabletops the third. The cadence keeps the experience fresh and prevents the format from becoming the message. Employees who would tune out a fourth annual security course will engage with a tabletop that asks them to play through an incident scenario.
On simulation refresh: the simulation library has to change continuously to reflect the current threat picture. Programmes that recycle the same lure families across multiple years produce excellent metrics on those families and progressively worse generalised resilience.
On executive visibility: programmes that drop off the senior leadership agenda after year one stop being seen as a priority by the workforce. Quarterly KPIs reviewed by the security committee, board-level visibility of the reporting-rate trend, explicit acknowledgement of progress — these are not optional governance overhead; they are structural inputs into whether the programme continues to deliver behavioural change.
When clients implement those three together, the second-year drop disappears. Each by itself helps; together they change the underlying trajectory of the programme.