The compliance officer at a mid-tier UK building society opened the quarterly phishing simulation report and saw something that should worry every financial services firm: click rates had barely moved in eighteen months of monthly training. Staff were completing modules, passing quizzes, collecting certificates — and still clicking malicious links at roughly the same rate they did before the programme started.
This is the dirty secret of security awareness training in UK financial services. Tick-box e-learning produces tick-box behaviour. The FCA's expectations under PS21/3 Operational Resilience and SYSC 3.2 require firms to manage the human element of cyber risk as a genuine operational control, not a compliance artefact. When the regulator asks how your training reduces phishing susceptibility, "we completed 100% of modules" is not an answer.
Our consultants have rebuilt awareness programmes for banks, payment institutions, and wealth managers across the UK. The pattern is consistent: firms that treat awareness as content delivery fail. Firms that treat it as human risk management — measured, segmented, behaviourally designed — see real reductions in click rates and credential submission rates within two quarters. Here is the five-stage programme we deploy.
Stage 1: Baseline the Human Risk Surface Before You Train Anyone
You cannot reduce what you have not measured. Most UK financial services firms launch awareness programmes without a credible baseline, which means they cannot prove improvement and cannot defend the programme to the FCA, internal audit, or the board.
A proper baseline has three components. First, an unannounced phishing simulation across the entire workforce — not a friendly test, but a realistic lure built around credential harvesting, invoice fraud, or MFA fatigue. Second, a department-level breakdown of who clicked, who reported, who entered credentials, and who did nothing. Third, a contextual overlay: which roles handle payments, customer data, privileged access, or vendor onboarding. A finance assistant clicking a fake supplier invoice is a different risk class to a developer clicking a recruitment lure.
We typically find that finance, operations, and customer service teams have click rates two to three times higher than IT and risk functions. That is not a training failure — it is a targeting problem. You train these groups differently because attackers target them differently. The baseline tells you where to spend your budget.
Document the baseline formally. It becomes evidence for your ISMS under ISO 27001 certification (Annex A controls 6.3 and 7.2.2) and a reference point for every subsequent quarter.
Stage 2: Segment Your Workforce by Risk, Not by Org Chart
Generic training fails because the threat landscape is not generic. A relationship manager at a private bank faces business email compromise targeting high-value client transfers. A developer faces supply chain lures and fake recruiter messages with malicious attachments. A board member faces whaling attacks impersonating the Chair or external counsel. One training module cannot address all of these.
Build four to five risk segments based on what an attacker would want from each role:
- Payment authorisers and finance — invoice fraud, CEO impersonation, supplier compromise
- Privileged IT and DevOps — credential theft, fake MFA prompts, malicious package installs
- Client-facing relationship and ops staff — customer impersonation, data exfiltration lures
- Executives and PAs — whaling, deepfake voice and video, legal threats
- General workforce — credential harvesting, malware delivery, MFA fatigue
Each segment gets a tailored curriculum, tailored simulations, and tailored metrics. The relationship manager does not need to watch a video about ransomware on a domain controller. The developer does not need fifteen minutes on supplier invoice fraud. Relevance drives engagement, and engagement drives behaviour change.
Stage 3: Run a Continuous Phishing Simulation UK Programme — Not Quarterly Theatre
Quarterly phishing tests are theatre. Attackers do not warn staff that a campaign is coming next month. A credible phishing simulation UK programme runs continuously, with new lures every two to four weeks, varied by segment, and graduated in difficulty.
Start with low-complexity lures — obvious spelling errors, mismatched senders, generic greetings. Over six months, escalate to threats that mirror real attacker tradecraft: lookalike domains, compromised supplier accounts, contextually accurate references to internal projects pulled from LinkedIn, and MFA fatigue prompts. The goal is not to humiliate staff; it is to inoculate them against threats they will actually face.
Two metrics matter more than click rate. The first is report rate — what percentage of recipients used the "Report Phishing" button within ten minutes. A high report rate is a far better indicator of programme health than a low click rate, because reporting is an active, trained behaviour. The second is credential submission rate — what percentage of clickers actually entered credentials on the landing page. This separates the curious from the genuinely compromised.
Treat reporting as the headline KPI. Praise reporters publicly. When a real attack arrives, you want hundreds of reports flooding the SOC inbox within minutes — and that only happens if reporting is normalised.
Stage 4: Replace Punishment with Just-in-Time Coaching
Naming and shaming clickers destroys the programme. Staff stop reporting because they fear being added to a list. Managers lose trust. The compliance team becomes an enemy rather than an ally. We have seen entire awareness programmes collapse because a CISO publicly listed the "top ten clickers" in an all-hands meeting.
Replace punishment with just-in-time micro-training. When a staff member clicks a simulated lure, they land on a short coaching page — sixty to ninety seconds — that explains the specific red flags in the email they just clicked. No quiz, no certificate, no escalation. Repeat clickers within a quarter receive a fifteen-minute manager-led conversation, not a disciplinary referral.
Reserve formal escalation for genuine policy violations: clicking after explicit warning, sharing credentials in response to a phishing email after coaching, or bypassing reported security controls. Even then, route it through HR and line management — not a public shaming exercise.
This is human risk management as a behavioural discipline. The objective is not to identify bad staff; it is to change the firm's collective response to social engineering.
Stage 5: Measure, Report, and Tie Outcomes to Board-Level Risk
An awareness programme that cannot show measurable risk reduction will be defunded at the first budget review. Build a quarterly dashboard with five core metrics, segmented by business unit:
- Click rate by segment, trended over twelve months
- Report rate and time-to-first-report
- Credential submission rate on simulations
- Repeat clicker percentage
- Coverage and completion of segmented training modules
Report this to the board's risk committee alongside other operational resilience metrics under PS21/3. Frame it in the language they understand: tolerance for disruption, likelihood of a successful intrusion, and the firm's resilience posture. Awareness training stops being an HR line item and becomes a board-visible control.
For firms pursuing or maintaining ISO 27001, this dashboard satisfies the measurement requirements of clauses 9.1 and Annex A 6.3. For FCA-regulated firms, it forms part of the evidence base for the operational resilience self-assessment.
Common Mistakes That Destroy Awareness Programmes
Three failure modes appear repeatedly in firms we audit:
Over-reliance on a single vendor's content library. Generic, multi-tenant phishing templates are recognised by staff within weeks. Customise lures to your firm's actual tooling, supplier names, and internal language.
Confusing completion with competence. A 100% module completion rate tells you nothing about behaviour. Measure what staff do when targeted, not whether they sat through a video.
Ignoring leadership. If executives skip training or are exempted from simulations, the programme has no credibility. Whaling simulations against the board, with results discussed at the risk committee, signal that this is serious.
How Pyralink Helps
Pyralink Innovation Ltd designs and runs human risk management programmes for UK financial services firms, building societies, and FCA-regulated payment institutions. Our consultants — led by Michael Adedeji (CISM, CISA, CC, MSc Data Science) — build segmented training curricula, run continuous phishing simulations, and integrate awareness metrics into ISMS and operational resilience reporting.
We deliver this through our fractional vCISO service from £497 per month, or as a standalone programme build. Our consultants can also run a free initial assessment of your current awareness posture and phishing exposure. For technical control gaps that amplify human risk — misconfigured email gateways, weak MFA, exposed admin interfaces — CloudAuditX identifies what your training cannot fix. Read more case studies and frameworks in our insights library, or run the free compliance scanner to benchmark your current posture.
Pyralink carries £5M professional indemnity insurance and works exclusively with UK-regulated firms.