How often do we send training emails?

How often do we send training emails?
Moni hard at work

When designing our evidence-based phishing awareness training program, we faced a critical question: how often should we test our clients'? Too frequent, and we risk alert fatigue and resentment. Too sparse, and the training loses its effectiveness. After extensive research and careful consideration of the available evidence, we landed on an average frequency of approximately 10 days—though we deliberately vary this timing to maintain unpredictability.

The Search for the "Goldilocks" Frequency

Our investigation into optimal phishing simulation frequency revealed a fascinating gap between academic research and industry practice. While the academic literature strongly supports the principle of frequent, spaced training, it doesn't prescribe specific intervals. Industry vendors, meanwhile, recommend everything from weekly to quarterly simulations, with most defaulting to monthly.

The most specific recommendation we found came from Hoxhunt, a Finnish security awareness company that advocates for sending simulations "every 10 days" based on their analysis of over 50 million phishing simulations across 2.5 million users. While this represents just one vendor's approach, their massive dataset and reported results caught our attention: organizations using their 36-simulations-per-year protocol achieved 86% fewer phishing incidents compared to quarterly training programs.

What the Research Actually Tells Us

While no peer-reviewed studies validate the specific 10-day interval, several converging lines of evidence support this frequency range:

The Retention Window

The groundbreaking 2024 ETH Zurich study by Lain and colleagues revealed that "retention from phishing exercises was measured to be around 10-30 days." This suggests that waiting longer than a month between simulations allows the lessons to fade from memory. Their research also uncovered something crucial: the effectiveness of phishing training comes primarily from its "nudging effect"—the periodic reminder to stay vigilant—rather than from knowledge transfer.

The Rapid Response Reality

Research shows that most phishing victims who will click do so within the first 24 hours of receiving an email, with many clicking within just 21 seconds. This highlights the need for well-developed defensive reflexes that only come from regular practice. As one participant in the ETH study noted: "The effectiveness lies in the repetition, that you have to remind yourself again and again."

The Australian Context

The latest Australian Cyber Threat Report (2024) shows that Australian businesses receive a cyber incident report every 6 minutes, with email compromise and phishing remaining the top attack vectors. Small businesses—our primary client base—face average losses of $49,600 per incident. This local threat landscape reinforces the need for frequent, practical training.

Why We Chose ~10 Days (With Important Caveats)

Our decision to average around 10 days between simulations represents a pragmatic balance based on the available evidence:

  1. It falls within the retention window: At 10 days, we're reinforcing lessons before they fade but not so frequently that employees become desensitized.
  2. It provides sufficient practice opportunities: Over a year, this frequency gives employees roughly 36 chances to practice identifying phishing attempts—enough to build genuine habit formation.
  3. It aligns with behavioral science: Research on habit formation suggests simple behaviors require an average of 66 days to become automatic. Our frequency provides 6-7 practice opportunities during this critical period.

The Crucial Role of Variability

However, we don't rigidly adhere to exactly 10 days. Our system deliberately varies the timing—sometimes sending several simulations in a day, other times waiting 30 days or more. This variability serves multiple purposes:

  • Maintains realism: Real phishing attacks don't follow predictable schedules
  • Prevents gaming: Employees can't simply be extra cautious "around day 10"
  • Reduces habituation: Unpredictability keeps employees genuinely alert rather than mechanically responsive

Important Limitations and Transparency

We want to be completely transparent about the evidence base for our approach:

  • No definitive research exists: Despite extensive searching, we found no controlled studies comparing 10-day intervals against other frequencies.
  • Single-source recommendation: The specific 10-day interval originates primarily from one vendor's internal data.
  • Context matters: What works for one organization may not work for another. Industry, size, and security culture all influence optimal frequency.

Our Ongoing Commitment

We view our ~10-day average frequency as a starting point based on the best available evidence, not a final answer. We continuously monitor several metrics to assess and adjust our approach:

  • Click rates over time
  • Reporting rates for suspicious emails
  • Employee feedback and engagement
  • Real incident occurrence

If the data suggests a different frequency would better serve our clients, we'll adapt accordingly.

The Bottom Line

While we can't claim that 10 days is the scientifically proven optimal frequency, we can confidently say that our approach aligns with what research tells us about effective security training: it needs to be frequent enough to maintain vigilance (well under the 30-day retention ceiling), varied enough to reflect real-world conditions, and consistent enough to build lasting behavioral change.

Most importantly, the recent ETH Zurich research validates our fundamental philosophy: the value of phishing simulations lies not in teaching employees to memorize red flags, but in providing regular, gentle nudges that keep security top of mind. Every 10 days—give or take—seems to strike that balance well.

In the fight against phishing, perfection isn't the goal. Building a sustainable culture of security awareness is. Our ~10-day frequency, combined with deliberate variability and continuous refinement, represents our best current effort to achieve that goal while respecting both the available evidence and its limitations.

The behavioral science rationale

While explicit validation for 10 days is absent, behavioral science research provides theoretical support for this frequency range. The 10-day interval aligns with several psychological principles that could explain its effectiveness. Memory consolidation research indicates that information requires regular reinforcement to transfer from short-term to long-term memory, with optimal spacing preventing both memory decay and cognitive overload.

Habit formation research, particularly Lally's 2010 study, found that simple behaviors require an average of 66 days to become automatic, with substantial individual variation (18-254 days). Regular practice every 10 days would provide approximately 6-7 exposures during this critical habit formation period. Additionally, the 10-day frequency falls within the "sweet spot" between avoiding alert fatigue (which can occur with weekly training) and preventing significant skill decay (which happens with monthly or quarterly training).

The concept of "nudging" from behavioral economics also supports frequent, light-touch interventions over intensive, infrequent training sessions. Research shows that security nudges delivered at the moment of decision can increase phishing detection by up to 300%, and regular simulations serve as these behavioral nudges.

Industry benchmarks reveal a frequency spectrum

Analysis of major industry reports from 2020-2025 reveals a clear trend toward higher-frequency phishing simulations, though specific recommendations vary widely. The Verizon Data Breach Investigations Report 2025 found that the median time to click a phishing link is just 21 seconds, highlighting the need for well-developed defensive reflexes that only come from regular practice.

Industry benchmarks for 2025 show that organizations conducting quarterly simulations achieve only 7% reporting rates with 20% failure rates, while those implementing more frequent programs see dramatic improvements. The Ponemon Institute documented a 50x return on investment for phishing simulation programs in their first year, with a 64% reduction in click rates during proof-of-concept phases. However, these studies generally compare "frequent" versus "infrequent" training without specifically examining the 10-day interval.

Variations by industry and organization size

Research reveals that optimal simulation frequency varies significantly by context. High-risk industries like finance and healthcare often require more frequent testing due to regulatory requirements and threat exposure. The healthcare sector faces unique challenges—an Italian hospital study with 6,000+ staff found that personalized phishing attempts had dramatically higher success rates than generic ones, suggesting frequency alone isn't sufficient without quality content.

Organization size also influences optimal frequency. Small and medium businesses (100-499 employees) show the highest password submission rates at 7.3%, potentially benefiting from more frequent training. Enterprises with 10,000+ employees face coordination challenges that may make the 10-day frequency logistically difficult without substantial automation and resources.

The emergence of adaptive frequency models

Recent developments in security awareness training point toward adaptive, personalized frequency models rather than fixed intervals. Some organizations now adjust simulation frequency based on individual performance metrics—high performers receive less frequent but more challenging simulations, while struggling users get more frequent, basic-level practice. This approach suggests that the optimal frequency might not be universal but rather dependent on individual and organizational factors.

Research on cognitive load and alert fatigue provides important caveats to high-frequency training. SoSafe's research indicates that more than three simulations per month can actually decrease effectiveness due to simulation fatigue. This finding challenges the sustainability of the 10-day frequency for all organizations and highlights the importance of balancing frequency with quality and relevance.

Critical evaluation of the 10-day recommendation

The 10-day phishing simulation frequency represents an intriguing case study in how vendor-specific recommendations can gain traction without clear academic foundations. While Hoxhunt's data suggests impressive results, several critical observations emerge from this research.

First, the lack of independent validation is concerning. No controlled studies comparing 10-day intervals against other frequencies exist, making it impossible to determine whether this specific timing is optimal or simply one of many effective high-frequency approaches. Second, the recommendation's singular source raises questions about generalizability—what works for Hoxhunt's specific methodology and client base might not translate universally.

The absence of the 10-day recommendation in academic literature before Hoxhunt's emergence suggests this is a proprietary innovation rather than a research-derived standard. While behavioral science principles provide post-hoc theoretical support, they could equally justify frequencies ranging from 7 to 14 days or even variable intervals.

Practical implications for organizations

Organizations considering phishing simulation frequency should recognize that while the 10-day interval lacks independent academic validation, the broader principle of frequent, regular training has strong empirical support. The evidence consistently shows that quarterly or annual training is insufficient for developing robust security behaviors, and monthly training represents the minimum viable frequency for most organizations.

For organizations evaluating the 10-day frequency specifically, several factors warrant consideration. Resource requirements for managing simulations every 10 days are substantial, requiring dedicated personnel or sophisticated automation. Employee culture and change management capabilities will determine whether this frequency enhances or hinders security culture. The quality and variety of simulation content matters more than frequency alone—10 days of repetitive, generic simulations will likely prove less effective than monthly high-quality, targeted scenarios.

Industry context, regulatory requirements, and threat landscape should drive frequency decisions rather than adherence to a specific number. Organizations might benefit from starting with monthly simulations and gradually increasing frequency based on measured outcomes and employee feedback.

Conclusion

The "every 10 days" phishing simulation recommendation emerges as a vendor-specific innovation from Hoxhunt rather than an academically validated standard. While their reported results are impressive and behavioral science provides theoretical support for this frequency range, the lack of independent research comparing different intervals means organizations should approach this recommendation critically. The optimal frequency likely depends on multiple factors including organizational culture, resources, industry requirements, and employee populations.

What the research does clearly establish is that frequent, regular phishing simulations—whether weekly, bi-weekly, or monthly—significantly outperform traditional quarterly or annual approaches. The 10-day interval may well be effective, but it should be evaluated as one option among several evidence-based approaches to high-frequency security awareness training rather than accepted as a universal best practice. Organizations would benefit most from starting with established monthly frequencies and adjusting based on their specific context and measured outcomes, rather than adopting the 10-day interval simply because it appears precise or scientific.