The cost of a breach is now $4.45M average. Security awareness training costs $2–5 per employee per year. The math is so simple that it almost needs no explanation. But most organizations still treat phishing simulations as a compliance checkbox instead of a risk-reduction tool, which means they get minimal engagement and minimal results.
The organizations that are winning are the ones that gamified it. Leaderboards. Scoring. Recognition. The same psychology that works for Duolingo works for phishing training. And the ROI is indisputable: if one simulation saves you one breach, it pays for five to ten years of training for the entire organization.
The psychology of engagement
Traditional security awareness training looks like this: an email announcement, a link to training, 15 minutes of watching slides, a quiz at the end. Completion rates are 60–70%. Retention two weeks later is 30–40%. You can mandate it, but you cannot mandate engagement.
Gamified training flips the incentives. Leaderboards show who is scoring highest. Teams compete. Individuals see themselves ranked relative to their peers. One week into a leaderboard, completion rates hit 95%. Retention climbs to 65–75%. The training becomes social instead of painful.
Most phishing vendors in 2025 offered leaderboards as an add-on feature (usually expensive). In 2026, the winners are the platforms that ship gamification as the baseline and make it impossible to turn off. Your organization should demand it, and most vendors can now deliver it.
The mechanics that work
Scoring. Points per phishing email detected. Bonus points for reporting to IT (not just deleting it). Penalties for clicking. Badges for consistency. The system has to be transparent: an employee should know exactly why they gained or lost points. They should be able to look at their history and see their improvement.
Leaderboards. Weekly and monthly rankings. Department leaderboards. Peer leaderboards. Company-wide leaderboards. Not to shame the bottom, but to celebrate the top. Teams compete; individuals compete. The social pressure to not be last is powerful, and the aspiration to be first is powerful.
Reporting rewards. An employee who reports a real phishing email (not a simulation) should get points and recognition. This incentivizes the behavior you actually want: catching threats in the wild, not just passing tests.
Streaks. Perfect weeks earn badges. Monthly streaks earn perks (coffee cards, priority parking, or just public recognition). People will defend their streak. That defensiveness translates to consistent clicks on training and consistent caution with emails.
The one metric that matters: clickthrough rate reduction
After six months of a gamified phishing simulation program, the organizations we work with see clickthrough rates drop from 8–15% to 2–4%. That is the metric. If your simulation is not driving that, it is not working.
A 4% click-through rate on a simulated phishing email is still too high. But it is acceptable if everyone on the team is getting trained and the behavior is trending down every month. The goal is not zero (that is impossible), the goal is a low single-digit number that you can defend in an audit and that you know is far lower than industry average.
The 2026 compliance argument
In 2025, phishing simulations were a best practice. In 2026, they are a compliance baseline. If you are hit with an audit and you cannot produce quarterly simulations with measurable engagement and click-through trending, regulators will consider it a control failure. It will show up in your final report as evidence of weak security awareness.
The organizations that have that data — leaderboards, scores, trends — can hand over a folder of evidence and say “our organization shows sustained engagement and measurable improvement.” That is a strength. It wins audits.
See gamified phishing simulation in action
We run Security Awareness in production for our own team and our clients. Leaderboards, scoring, reporting rewards, and real-time trends. Book a demo to see the mechanics that actually drive behavior change and compliance.
The bottom line
Phishing simulation ROI is simple: one avoided breach pays for ten years of training. Most organizations are not tracking that number because they have not thought about it. Start tracking it. Start gamifying it. Let your team compete. Watch the click-through rate drop.