Is a 99% Pass Rate Good Enough for Cyber Security Awareness Training?

9th December, 2025

At first glance, a 99% pass rate on your Cyber Security Awareness Training might seem like a cause for celebration. But when it comes to cybersecurity, that remaining 1% can pose a serious risk.

Why 99% Isn’t Always Safe Enough

Even one uninformed or careless employee can be the entry point for a cyberattack. Phishing, credential theft, and social engineering tactics only need one success to compromise your entire network. That’s why attackers often target individuals and not systems.

Let’s put it in perspective:

  • In a company of 500 employees, 1% = 5 people who might click a malicious link.
  • It only takes one to cause a data breach or ransomware infection.

Real-World Readiness

Passing a quiz doesn’t always mean employees are ready to act appropriately in a real-world phishing or social engineering scenario. Some may guess the correct answers or forget what they learned shortly after training.

Security awareness must go beyond an annual quiz. It needs to become part of your company culture, reinforced regularly with:

  • Ongoing phishing simulations 
  • Real-time feedback on risky behaviour
  • Microlearning or refresher training
  • Leadership buy-in and visible participation

Aim for Resilience, Not Just Scores

What is a better metric than 'pass rate'? Click rates on simulated phishing emails, incident reporting rates, and how quickly staff escalate suspicious activity. These are what need to be watched and followed up, and can be implemented into your business and with meaningful action taken to strengthen your human firewall. If you sign up to a security awareness training package, your company would benefit from regular training, with regular reports being fed back to your team and you would learn from mistakes as and when they happen.

Your in-house IT Manager or IT provider should keep looking for opportunities to educate and inform staff within an organisation on a regular basis. In addition to taking part in ongoing phishing simulations and Security Awareness Training, it's important to regularly train your organisation up with microlearning opportunities or refresher training.

In short, 99% is not the end goal. Neither is 100% pass rate then to think everything is OK, and it's part of some tick-list you've achieved. Just because all your team might pass a cyber security awareness training test with flying colours, doesn't mean they know everything - as the world of cyber hacking is becoming smarter, more sophisticated and harder to spot all the time.

Of course, the right technological kit and special security software should form part of your cyber security protection. But on top of that, ongoing security training really matters. The aim is to create a security-conscious culture where every employee becomes an active part of your cyber defence, doesn’t become complacent and is ready adapt to new threats.

 

    Peeling Back the Sticker: Why Cyber Essentials Matters for Accountancy Firms Latest

    Peeling Back the Sticker: Why Cyber Essentials Matters for Accountancy Firms

    Read more Email: Simple, Everyday… and One of Your Biggest Compliance Risks Latest

    Email: Simple, Everyday… and One of Your Biggest Compliance Risks

    Read more Deepfakes & Social Engineering: Why Seeing Is No Longer Believing Latest

    Deepfakes & Social Engineering: Why Seeing Is No Longer Believing

    Read more
Contact Us

For more information contact us...

    If you need responsive and reliable IT solutions that are tailored to your business, then contact the experts at AMP. Our skilled engineers provide outstanding IT support and technical expertise you can depend on.