The default assumption in security training has long been that content matters most. Get the right information in front of people often enough, and behaviour changes. The data does not support this.
LimitedView's research team has spent four years analysing behaviour change outcomes across 847 organisations and more than 650,000 employees. One of the clearest signals in that dataset is the performance gap between generic training and role-targeted training. The difference is not marginal. It is consistent across sectors, organisation sizes, and delivery methods.
Does Generic Security Training Work the Same for Everyone?
No. Generic security training produces substantially different behaviour change outcomes depending on job function, even when content and delivery are identical. A module on phishing that uses email-based scenarios performs measurably better for desk-based office workers than for manufacturing floor staff who primarily use shared terminals. The same module shows different retention rates in finance teams versus customer service teams, even within the same organisation on the same day.
The reason is not that the content is wrong. It is that relevance drives retention, and relevance is role-specific. A warehouse operative and a finance controller face genuinely different threats. Training that splits the difference between them serves neither well.
Which Job Functions Show the Lowest Security Training Retention?
Across LimitedView's dataset, three groups consistently show the steepest retention decay from generic training: operational staff with limited screen time, high-turnover customer-facing roles, and privileged technical users.
Operational staff often complete training on shared devices in designated time windows. The training scenario rarely maps to their actual working environment. By 30 days, retention in this group drops to levels that make the training statistically ineffective at preventing the behaviours it targets. They completed the module. They did not change anything.
High-turnover customer-facing roles face a compounding problem. Training completion rates in these groups are typically lower to begin with. When completion and retention are both poor, you have a predictable vulnerability that generic annual programmes cannot address regardless of how polished the content is.
Privileged technical users present a different problem entirely. Their completion rates are high. Their quiz scores are also relatively high. The failure mode is not ignorance. It is overconfidence combined with irrelevance. A phishing simulation built around consumer email conventions is not the threat model for a system administrator with domain-level access. They dismiss it, often correctly, and the behaviour change that should follow does not happen.
What Does Role-Based Incident-Triggered Training Actually Look Like?
The mechanism is straightforward. When an incident occurs that maps to a specific role, training is delivered to that role within 48 hours of the incident. The training scenario mirrors the actual incident as closely as operational confidentiality allows.
A customer service team that experiences a vishing attempt gets training that afternoon or the following morning. Not at the next scheduled window in four months. The incident provides the context. The training provides the structured response. The proximity in time is what drives the 73% retention rate at 90 days that LimitedView's research team has documented, compared to 12% for scheduled generic training.
Role-based targeting means the customer service training looks nothing like the training delivered to the finance team that week, or the IT team, or warehouse operations. Each team sees an incident scenario drawn from their actual threat exposure. The scenario is not hypothetical. It is drawn from something that just happened, to people in a similar role, doing a similar job.
How Do You Measure Whether Role-Based Training Is Working?
Behaviour observation beats self-reporting. Ask training teams what percentage of their measurement relies on quiz completion and post-training survey scores, and you start to understand why most organisations believe their programme is working while their incident data says otherwise.
The metrics that matter are behavioural. Report rates for suspicious emails. Escalation speed when anomalous access is detected. Error rates in processes known to carry social engineering risk. These metrics are role-specific by nature. A sales team's security posture looks different from a developer's, and measuring them with the same scorecard produces data that is too blunt to drive improvement.
LimitedView's analysis shows that organisations using role-specific behavioural metrics alongside incident-triggered training see a 64% reduction in repeat procedural failures within the first year. That is not measuring whether people passed a test. That is measuring whether anything actually changed.
Is Role-Based Training More Expensive to Deliver?
The cost comparison is frequently misframed. Organisations compare the unit cost of role-based training against the unit cost of generic training and conclude role-based is more expensive. They are comparing the wrong things.
The relevant comparison is cost against risk reduction. Generic training has a known ceiling on effectiveness. After a certain point, adding more of it adds budget without proportional risk reduction. The 6x behaviour change improvement that incident-triggered role-based training produces changes the economics. If you are allocating the same total budget across two approaches but one produces six times the behaviour change, the generic approach is not cheaper. It is less efficient at the thing it is supposed to do.
The organisations in LimitedView's dataset that have shifted budget from annual generic programmes to incident-triggered role-based delivery have not universally increased their training spend. Several have reduced it while improving measurable outcomes. The shift is not about spending more. It is about spending in proximity to the conditions that make learning stick, and targeting it at the people whose behaviour actually needs to change.
