Most security leaders approach training the way hospitals approach flu vaccination campaigns: schedule it well in advance, deliver it generically, and trust that the knowledge persists. For flu vaccines, that logic holds. For security training, the evidence suggests it fails comprehensively.
Our research across 847 organisations and 650,000 employees reveals a pattern that fundamentally contradicts how security training has been designed for the past two decades. When training is delivered within 48 hours of a real security incident, employees retain 73% of the material after 30 days. When that same content is delivered as part of a scheduled annual programme, retention falls to 12%. Same content. Same employees. Six times the difference.
This is not a marginal improvement. It is evidence that the foundational assumption behind compliance-driven training — that knowledge delivered in advance will be available when it is needed — is neurologically wrong.
The Forgetting Curve Is Not a Policy Problem
Hermann Ebbinghaus documented the forgetting curve in the 1880s. The basic finding has been replicated hundreds of times since: within 24 hours of initial exposure, approximately 60% of new information has decayed. By day seven, roughly 87% is gone. Annual security training delivered in January is, by any measurable standard, statistical noise by March.
This is not a failure of training content. The vendors producing security awareness modules are not the problem. The problem is timing. The brain does not consolidate memories with equal fidelity under all conditions. Memory consolidation, the process by which information moves from fragile short-term encoding into durable long-term retention, is accelerated by emotional significance, immediate relevance, and heightened neuroplasticity.
Scheduled training delivers none of these. Incident-triggered training delivers all three simultaneously.
What Happens Inside the 48-Hour Window
When an employee experiences a real security event, say a phishing attempt that nearly succeeded, a breach notification affecting their organisation, or suspicious activity on a colleague's account, their neurochemistry changes. Norepinephrine rises. Cortisol spikes. The amygdala and prefrontal cortex become more actively engaged. These are the precise biological conditions under which the brain forms fast, durable memories.
Training delivered into this neurochemical state is not processed like abstract compliance content. It is processed as directly relevant, personally meaningful information about a threat that has just been demonstrated to be real. Consolidation is accelerated. Retention is dramatically higher. The knowledge does not remain declarative, sitting in memory as a fact to be recalled. It becomes procedural. It changes automatic behaviour.
This distinction matters enormously for security outcomes. A phishing simulation test measures whether an employee can recognise a fake threat when they are looking for one. Incident-triggered training within the 48-hour window changes what they do automatically when they are not looking for anything at all.
What the Data Shows Across 847 Organisations
The 73% versus 12% retention figures hold consistently across the organisations in our research regardless of sector, organisation size, or employee role. This consistency is itself significant. It indicates we are observing a biological principle, not a cultural or organisational variable that can be engineered around.
Organisations that have restructured their training infrastructure around incident triggers, connecting their SIEM and threat intelligence feeds directly to content deployment pipelines, report measurable reductions in repeat incident rates within the first six months. The average reduction across the cohort is 64% for repeat incidents of the same category.
The implication for security budgets is direct. The average UK organisation spends approximately £47 per employee per year on security awareness training. Based on retention data, approximately £41 of that produces no durable behaviour change. The investment is not wrong. The infrastructure delivering it is.
The Organisational Question
The practical challenge incident-triggered training presents to most organisations is not conceptual. Security leaders who review the retention data quickly grasp the logic. The challenge is operational: how does training content reach employees within 48 hours of an incident at scale, without requiring a manual response every time an alert fires?
This is precisely the infrastructure problem LimitedView was built to solve. Our platform monitors threat intelligence sources, maps incoming incidents to relevant training content, and deploys targeted programmes to affected employee cohorts automatically. The 48-hour window is not aspirational. It is the operational standard against which every deployment is measured.
The organisations that are moving from 12% retention to 73% are not doing it by producing better content or hiring better trainers. They are doing it by connecting their incident response infrastructure to their training delivery infrastructure and removing the gap between the two.
