TRAINING on Fiction While the Real Threat is in Your Inbox argues that security awareness programmes have evolved but still rely too much on outdated, generic simulations. The piece notes that phishing remains the dominant initial access vector and that real campaigns are getting smarter with AI, making legacy templates less reflective of current threats.
It emphasises that success should be measured by whether employees report suspicious emails, not just whether they avoid clicking, and warns that training aimed at a test can leave organisations vulnerable to real attacks.
The article cites Verizon’s 2025 Data Breach Investigations Report, which shows phishing as a direct initial access vector in 16% of breaches and stolen credentials accounting for 22%, with human factors involved in about 60% of breaches; Cisco Talos is also referenced with phishing involvement in initial access at 50% of engagements.
It advocates threat-informed training that aligns content with actual campaigns targeting an organisation’s industry, and highlights guidance from the SANS 2024 Security Awareness Report and NIST SP 800-50 Rev 1 (2024) as supporting the shift from compliance artefacts to an intelligence layer.