Your finance team aced the simulation. Click rate under 2%. Reporting rate up. The CISO breathes out, the board slide writes itself, and everyone moves on to the next fire.
Three months from now, most of that awareness is already gone. Six months from now, statistically, it's as if the simulation never happened.
This isn't cynicism - it's the actual shape of the data, and it's the problem Frame was built to solve.
The decay curve is real, and it's shorter than you think
In a longitudinal study presented at a 2020 security conference, researchers found that employees were significantly better at spotting phishing emails immediately after training and at the four-month mark, but by the six-month mark, the improvement had disappeared entirely.
The exception that proves the rule
Here's the interesting part. When researchers followed 1,300+ employees across 20 companies for 12 months under a continuous program - simulations every few weeks, immediate feedback, mandatory micro-training after a failure - the pattern broke. The rate of unsafe actions declined by roughly half within the first six months, from 8.5% to 4.2%, and then stabilized near the industry benchmark of 4.1%.
That's a real result. But notice what produced it: not better content, not a more shocking video, not a cleverer lure. Just consistent exposure and short, timely feedback when something went wrong.
A separate 2024 ETH Zurich study went further and teased apart which part of a training program was doing the work. The main driver of effectiveness wasn't the content of the training modules - which even the most susceptible participants described as unhelpful - but the regular "nudges" reminding them that phishing exists and matters.
Read that again. The reminders were doing more work than the training. That's a finding most awareness programs aren't structured to act on. Frame is.
So what actually extends the half-life
Shorter, more frequent touches beat big annual events. A 45-second microlearning after a simulated click outperforms a 30-minute annual module. The annual module is a single, decaying dose. The microlearning is reinforcement.
Timing matters more than content. A nudge the week before payroll runs, the day an M&A deal is announced, or the morning after a publicly reported breach in your industry is worth ten generic "October is Cybersecurity Awareness Month" emails.
Report rate decays too. People who were quick to flag suspicious emails in February get quieter by July unless you keep the reporting muscle warm. Track mean time to report as a leading indicator - when it starts drifting up, your half-life is catching up with you.
Stop measuring the peak. Click rate the week after a campaign is your best-case number. The honest number is the one six weeks later, when nobody's watching.
Building a program around shorter touches, in-the-moment nudges, sustained reporting, and honest measurement is what Frame does.
The uncomfortable conclusion
One simulation per quarter is not a program. It's a snapshot of awareness at a moment when awareness is artificially high, followed by twelve weeks of slow forgetting. The organizations that actually move the needle aren't running more impressive simulations. They're running smaller, more frequent ones, with feedback that arrives within seconds and nudges that land in the moments when risk is real. Frame is built to run programs exactly like that.
Awareness, like any learned behavior, is a decaying asset. Your program is either topping it up or watching it fall.
Frame is the human risk management platform built around the half-life problem: small, continuous simulations, deepfake micro-videos that deliver the nudge at the moment of failure, and role-based content that keeps the finance team's training different from engineering's. If your program is still running on a quarterly cadence, the math is not on your side. Book a demo today.


