The 73% versus 12% retention figures that underpin LimitedView's approach appear in most of our published material. What appears less frequently is the methodology that produced them and the questions we had to answer before we trusted them enough to build a company around the findings. This article documents both.
What We Measured and Why It Matters
The distinction between knowledge retention and behaviour change is not academic. Security training programmes are routinely evaluated on completion rates and assessment scores, metrics that tell you whether an employee sat through the content and passed a quiz. They do not tell you whether that employee's behaviour under real-world conditions has changed.
Our research focused on behavioural outcomes, not assessment performance. The primary metric was incident recurrence: did employees who received training following a specific incident category subsequently demonstrate changed behaviour when they encountered a similar threat? This required matching training delivery records to subsequent security event logs, a data linkage that most organisations do not maintain in any systematic form.
The secondary metric was knowledge persistence. When employees were tested 30 days after training delivery, how much of the material could they accurately recall and apply? We used scenario-based assessments rather than multiple-choice recall tests, because the former better predicts real-world response.
Methodology Across 847 Organisations
The research cohort was assembled over 24 months across organisations in financial services, healthcare, professional services, and public sector. Inclusion criteria required that each organisation had a functioning SIEM with incident logging, a documented training delivery record, and consent to participate in the longitudinal assessment programme.
The control condition was standard scheduled training: content delivered on a calendar cycle with no specific relationship to preceding security events. The intervention condition was incident-triggered training: content delivered within 48 hours of a relevant security event affecting the organisation or a close sector peer.
Critically, the content delivered in both conditions was equivalent. We controlled for content quality by using the same material library across both groups, matched by incident category. This was essential to isolate the variable of timing. If the intervention group had received higher-quality content, the retention differential could not be attributed to timing alone.
The 650,000 employees in the study were distributed across organisations ranging from 400 to 28,000 employees. The consistency of findings across this range was one of the more striking aspects of the data.
What the Data Shows
The headline finding, 73% retention in the intervention group versus 12% in the control group at 30 days, held with statistical significance across every sector in the cohort. The effect size did not vary meaningfully by industry, organisation size, or employee role. Security operations personnel, non-technical employees, and management cohorts all showed the same differential.
This uniformity was not what we expected. Before collecting the data, the research team hypothesised that the timing effect might be stronger for technical roles, who would be better positioned to contextualise incident-specific training. The data does not support this. The neurological mechanism that drives improved consolidation in the 48-hour window appears to operate independently of technical background.
The behavioural recurrence data was similarly consistent. In the control group, 34% of employees who experienced a phishing incident and received scheduled training subsequently fell for a similar attack within 90 days. In the intervention group, that figure was 6%. Across all incident categories combined, the intervention group showed a 64% average reduction in repeat incidents compared to the control group.
What Behaviour Change Actually Means
It is worth being precise about what 6x behaviour change means in practice, because the figure can be misread as implying that incident-triggered training produces perfect security behaviour. It does not.
What the data shows is that employees in the intervention group demonstrate systematically different automatic responses when they encounter a threat similar to the one that preceded their training. They are more likely to pause before clicking a suspicious link. They are more likely to report anomalous activity. They follow the correct escalation procedure rather than attempting to handle the incident themselves.
These are not dramatic heroics. They are small, consistent shifts in automatic behaviour at the moment of decision. Multiplied across thousands of employees and dozens of incident categories, those small shifts compound into meaningfully different security outcomes.
Implications for Security Teams
The research findings have a direct operational implication: the ROI calculation for security training cannot be made on the basis of content quality or delivery platform alone. The most important variable is timing, and timing is an infrastructure question, not a content question.
Organisations that have restructured their training delivery around incident triggers, connecting their security operations tooling to their learning management systems, do not get better ROI by spending more on content. They get better ROI from the same content budget by ensuring that training reaches employees when the neurological conditions for retention are at their peak.
The gap between 12% and 73% retention represents roughly £35 of every £47 spent on security training. That is not inefficiency at the margin. It is a structural problem with how training delivery infrastructure is designed. Addressing it requires connecting the incident response stack to the training delivery stack and removing the human coordination delay between the two.
This is the core design principle behind LimitedView's incident training platform: not better content, but better infrastructure for delivering the right content at the right neurological moment.
