The Challenge
The firm had been running annual mandatory security awareness training for three years when the incident occurred. Two senior portfolio managers received a spear-phishing email impersonating a counterparty's compliance team. Both clicked. Both entered credentials. The credentials were harvested within the hour.
The business impact was significant but contained. A four-hour outage while accounts were suspended and access reviewed. A forensic review lasting eleven days. Regulatory notification obligations under FCA guidance triggered an internal escalation that reached board level. One client relationship required a direct call to explain what had happened and what controls were in place.
What made it harder to absorb was that both managers had completed that year's mandatory awareness training within the previous four months. The completion rate for the annual module sat at 96%. Assessed scores averaged 81%.
The numbers looked good. The incident happened anyway.
The security team's internal review identified the same pattern that comes up repeatedly in post-incident analysis: training completed in a low-urgency context, with no emotional salience, retained almost nothing at the point of need. Staff could pass a test in March. They could not identify a sophisticated spear-phish in November.
The existing training vendor was not at fault. The content was accurate and reasonably well designed. The problem was timing. Annual delivery, regardless of content quality, produces annual-level retention. When an incident requires recall of specific recognition behaviours nine months after training, the material is largely gone.
The CISO brought LimitedView in during the forensic review period. The brief was to find an approach that would change the trajectory rather than simply repeat the same intervention at higher frequency.
The Approach
The engagement began with a three-week assessment phase. LimitedView reviewed the existing training materials, the firm's incident classification framework, and the post-incident report from the phishing compromise. The goal was not to replace the existing training programme wholesale but to identify where incident-triggered delivery could be integrated without creating duplication or compliance gaps.
The core recommendation was to implement a triggered delivery model that would activate specifically after any classified phishing or social engineering incident — whether successful or unsuccessful. The trigger would apply firm-wide, not just to the individuals involved in the originating incident.
This is a deliberate design choice. Post-incident, the entire organisation is in a different psychological state. The attack is real rather than theoretical. Colleagues have heard about it, or will. The neurological conditions for durable learning are present across the workforce, not just in the people directly affected.
The first module was ready for deployment within forty-six hours of the incident being formally classified. It was built around the specific characteristics of the phishing email that had succeeded: the sender display name pattern, the domain lookalike technique used, the sense of urgency manufactured in the body text, and the credential harvesting page design. Specific details were abstracted to avoid republishing attack methodology, but the patterns were genuine.
Deployment was through the firm's existing learning management system. No new infrastructure was required at the employee level. The LimitedView integration pushed the triggered module directly into the LMS queue and sent a prompt through the internal communications channel the firm used for compliance deadlines.
Completion within 72 hours reached 89% without a manager chase. The firm's compliance team noted this was the highest first-week completion rate they had recorded for any learning intervention.
Over the following six months, two further phishing incidents were classified: one successful credential harvest affecting a junior analyst, one unsuccessful attempt that was correctly reported through the firm's reporting mechanism. Each triggered a new module. Each module was built around the characteristics of that specific incident.
The security team also introduced a variant: when the firm received threat intelligence indicating a phishing campaign targeting the investment management sector more broadly, even without a direct hit, a lighter-touch awareness prompt was triggered. This extended the model beyond reactive-only delivery while preserving the timing principle.
The Results
At the six-month mark, the security team ran a structured analysis against the prior-year baseline. The comparison period was matched for seasonality: the six months following the initial incident against the equivalent six months in the previous year.
Repeat incidents — defined as any phishing or social engineering event where an employee took a defined unsafe action, regardless of whether credentials were harvested — fell by 64% compared to the baseline period.
The prior-year baseline had recorded eleven classified incidents in the equivalent six-month window. The post-intervention period recorded four. All four occurred in business units or functions that had been added to the firm's structure after the triggered training programme had launched and had therefore received less coverage in the early deployment phases.
Voluntary engagement with the triggered modules, measured as first-week completion without a manager prompt, averaged 87% across all three deployments. The annual mandatory module in the same period achieved 72% first-week completion with active manager prompting.
Reported but unsuccessful phishing attempts — an important indicator of recognition behaviour — increased by 31% in the intervention period compared to baseline. Staff were not just completing training. They were using the recognition patterns.
The compliance team also tracked assessed scores on the triggered modules at a 30-day follow-up. Retention of key recognition behaviours, assessed by a brief scenario-based test, averaged 69% at 30 days. The firm's previous annual training vendor had not conducted 30-day follow-up assessments, but internal estimates based on incident patterns suggested the functional retention rate was closer to 15 to 20%.
What Changed
The shift the security team described most clearly was not statistical. It was tonal. Security awareness had previously been a compliance item. Something that happened on a schedule, was tracked on a dashboard, and produced certificates. Staff treated it accordingly.
The triggered model changed the frame. Training arrived when something had just happened. The subject matter was relevant in a way that annual content could never be. The team started receiving direct messages from staff asking whether a suspicious email they had received was related to the current threat. That had not happened before.
The CISO noted during the six-month review that the shift in voluntary reporting behaviour was the most significant change. Reporting requires staff to believe their input is valued, to trust that the act of reporting will not be treated as evidence of fault, and to have enough pattern recognition to identify what is worth reporting. All three of those conditions are downstream of genuine engagement rather than compliance completion.
The firm renewed the programme and extended it to cover supply chain and business email compromise incident triggers in the following contract year.
