Welcome to The Illumenati. If your organization's idea of security training is corralling everyone into a conference room once a year to watch a video that was probably produced when flip phones were still cutting edge — your users are playing on hard mode without any power-ups.
Here's the reality: that annual training video your employees click through while checking their phones? It's about as effective as trying to beat the Water Temple in Ocarina of Time blindfolded. The research is clear, the industry leaders agree, and the data is brutal. It's time to press the reset button on how we approach security awareness.
In this issue, we're going to break down why the old model is broken, what the power-ups look like, and introduce you to an open-source tool that turns security training into an actual game. Let's go.
> LEVEL 1: INTEL DROP
The Human Element: Still the Final Boss
The 2025 Verizon Data Breach Investigations Report confirmed what we've been saying for years: nearly 60% of breaches involve a human element — whether through error, social engineering, or misuse of credentials. People aren't the weakest link because they're careless. They're the weakest link because we're not equipping them properly.
The threat landscape is evolving faster than a speed run through Mega Man. AI-generated phishing emails are nearly indistinguishable from legitimate ones. Deepfake voice calls are fooling finance teams. And we're still handing our employees a dusty training video and hoping for the best.
> LEVEL 2: GAME OVER FOR ANNUAL TRAINING

The Forgetting Curve: Your Worst Enemy
The Ebbinghaus Forgetting Curve — a principle from cognitive science — tells us something devastating about one-and-done training: people forget roughly 50% of new information within one hour, 70% within a day, and up to 90% within a week without reinforcement. That annual training video? By the time your employees grab lunch the next day, most of what they watched is already gone.
A landmark study published at USENIX SOUPS 2020 surveyed over 400 employees after phishing awareness training. The finding? While the majority could identify phishing emails four months after training, those who went six months or longer without reinforcement lost the benefits entirely. ISACA now explicitly recommends retraining every four to six months — not once a year.

Compliance Theater: The Click-Through Speedrun
Let's call it what it is. Most annual security training exists to satisfy a compliance checkbox, not to change behavior. Employees treat it accordingly — clicking through slides as fast as the UI will allow, like they're trying to set a speedrun record.
This isn't just anecdotal frustration. The data backs it up:
Gartner Says: New Game+
Even the analysts are done with the old model. Gartner predicts that by 2027, half of all cybersecurity programs will prioritize behavioral transformation over awareness. They've coined a new term for what replaces annual training: Security Behavior and Culture Programs (SBCPs) — programs that take seriously the task of reducing cyber risk by effecting real, lasting change in employee behaviors and corporate culture.
In their 2026 cybersecurity trends report, Gartner found that over 57% of employees use personal GenAI accounts for work and 33% admit inputting sensitive information into unapproved tools. Annual training can't keep pace with how fast the risk landscape is shifting. It's like trying to learn the controls of a new game by reading a manual from three generations ago.
> LEVEL 3: POWER-UPS & EXTRA LIVES
So if annual training is a Game Over screen, what does a winning strategy look like? The industry is converging on three power-ups that actually work: micro-learning, just-in-time nudges, and gamification.
Power-Up #1: Micro-Learning (The Mushroom)

Micro-learning replaces the 45-minute annual snoozefest with 5-10 minute modules delivered monthly or bi-weekly, supplemented by regular phishing simulations. The difference in outcomes isn't incremental — it's a level skip:
Why does it work? It aligns with how human brains actually learn. The spacing effect shows that distributing learning over time dramatically improves long-term retention. Short 5-minute sessions reduce cognitive load (no one zones out). And frequent interactions create habit loops that embed security thinking into daily workflow — like muscle memory for a combo move.
The key insight here is that these micro-learnings become life skills, not just work skills. When you teach an employee to spot a phishing email in a 3-minute module, they take that knowledge home. They use it on their personal email. They teach their kids. They become more security-aware humans, not just more compliant employees.
Power-Up #2: Just-in-Time Nudges (The Fire Flower)
This is the real game-changer. Instead of teaching employees about phishing in January and hoping they remember in September, you train them at the exact moment the threat appears.
The concept draws from Nudge Theory (Thaler and Sunstein) and the MINDSPACE framework developed by the UK Government's Behavioural Insights Team. The idea is simple but powerful: timely, context-aware interventions delivered at the moment a risky behavior occurs are exponentially more effective than front-loaded training.
What does this look like in practice?
The beauty of just-in-time training is that it turns every near-miss into a teachable moment. Instead of abstract scenarios in a training video, employees learn from their own real-world actions. It's the difference between reading a strategy guide and actually playing the game.
Products like KnowBe4's SecurityCoach deliver 200+ security tips covering 60+ topics in 34 languages, sent via Teams, Slack, or email at the exact moment risky behavior is detected. Hoxhunt uses adaptive phishing simulations that get harder as the user's skill level improves — just like a good game increases difficulty as you level up.
Power-Up #3: Gamification (The Star)
Gamification isn't just slapping a leaderboard on top of your existing training. When done right, it fundamentally changes how employees engage with security concepts. Research published in the Journal of Business Research found that gamified security training improves employees' security behaviors by reducing phishing click rates and promoting positive security reactions.
Think about it: why do people voluntarily spend hundreds of hours mastering a game? Because games provide clear objectives, immediate feedback, progressive difficulty, and rewards. That's exactly what good security training should do. Your employees shouldn't dread training — they should want to level up.

> LEVEL 4: CHEAT CODES ALREADY IN YOUR INVENTORY
Here's the best part: you don't need to buy a single new product to start delivering point-in-time security training. Google Workspace and Microsoft 365 already have these capabilities built in. They're free cheat codes sitting in your inventory that most organizations never activate.
Google Workspace Cheat Codes
Microsoft 365 Cheat Codes
> BONUS STAGE: MEEPS
Now for the technical power-up. If you want to take gamification from concept to reality, check out Meeps Security — an open-source, gamified cybersecurity training framework built in Python by security professional Tyrone Kevin Ilisan.
What Is Meeps?
Meeps simulates a Security Operations Center (SOC) environment where players take on the role of a Level 1 SOC Analyst. Think of it as a security training arcade — instead of watching a video about incident response, your users actually do it.
How It Works
Players handle incoming “phone calls” about cybersecurity incidents. Each call includes caller details and an incident description. Players must analyze the threat against a reference database of known threats (with descriptions, indicators of compromise, and countermeasures), then submit the correct classification — all under SLA time pressure.
At the end of each shift, a performance report card shows total tickets handled, accuracy rate, missed calls, and whether the player passed (80% threshold required). It's immediate feedback, progressive challenge, and real skill-building — everything a training video is not.
Why Meeps Matters
Meeps is exactly the kind of tool that turns security training from a chore into a challenge. And because the content is fully customizable, you can populate it with threats specific to your industry, your tech stack, and your compliance requirements. Deploy it for onboarding, run it during security awareness month, or make it available year-round as a self-paced training tool.
> HIGH SCORE: THE BOTTOM LINE
The industry consensus — from Gartner, SANS, KnowBe4, Fortinet, Hoxhunt, and independent researchers — is unambiguous: annual, checkbox-style security awareness training is ineffective at changing behavior and reducing risk. The evidence shows training effects degrade after 4-6 months, engagement is poor, and the approach fails to address how humans actually learn and retain information.
The modern security awareness playbook combines:
Give your users a fighting chance. Stop asking them to beat the final boss with a tutorial they watched a year ago. Give them power-ups throughout the year. Train them at the moments that matter. And make it engaging enough that they actually want to play.
The security awareness training market is estimated at USD 6.74 billion in 2026, with growth driven by micro-learning, real-time phishing simulations, and gamification displacing linear slide decks. The industry is moving. Make sure your program moves with it.
Sources & References
- • Verizon 2025 Data Breach Investigations Report
- • Fortinet 2024 Global Security Awareness and Training Report
- • SANS 2025 Security Awareness Report
- • Gartner Top Cybersecurity Trends 2025
- • Gartner Top Cybersecurity Trends 2026
- • USENIX SOUPS 2020: “An Investigation of Phishing Awareness and Education Over Time”
- • Keepnet Labs 2026 Security Awareness Training Statistics
- • Infrascale Security Awareness Training Statistics
- • CSO Online: “Human Risk Management”
- • KnowBe4 SecurityCoach
- • Hoxhunt Guide to Security Awareness Training
- • KnowBe4: From Boredom to Engagement — Gamification in Cybersecurity Awareness
- • Journal of Business Research: Gamification in Workforce Training (ScienceDirect, 2024)
- • Mordor Intelligence: Security Awareness Training Market
- • Meeps Security (GitHub)
- • Google Workspace Admin Help: External Recipient Warnings
- • Microsoft Learn: DLP Notifications and Policy Tips


