This study investigates the impact of sustained phishing training and affective triggers on employees’ long-term susceptibility to phishing attacks. Employing a 12-month longitudinal field experiment, we deployed personalized simulated phishing emails to organizational employees, incorporating psychological manipulation techniques, source credibility cues, and emotion-eliciting design elements. Behavioral responses were analyzed using nonparametric correlation and regression modeling. Our key contributions are: (1) Sustained training reduced click-through rates by 50% within six months, significantly enhancing long-term defensive resilience; (2) Affective triggers accelerated internalization of security awareness, though their efficacy was moderated by individual differences; and (3) Employee turnover emerged as a critical covariate driving the decay of security awareness over time. All materials and analytical frameworks are openly shared. This work provides empirically grounded, organizationally scalable guidance for designing and deploying effective, long-term cybersecurity awareness interventions.

Phishing constitutes more than 90% of successful cyberattacks globally, remaining one of the most persistent threats to organizational security. Despite organizations tripling their cybersecurity budgets between 2015 and 2025, the human factor continues to pose a critical vulnerability. This study presents a 12-month longitudinal investigation examining how continuous cybersecurity training and emotional cues affect employee susceptibility to phishing. The experiment involved 20 organizations and over 1,300 employees who collectively received more than 13,000 simulated phishing emails engineered with diverse emotional, contextual, and structural characteristics. Behavioral responses were analyzed using non-parametric correlation and regression models to assess the influence of psychological manipulation, message personalization, and perceived email source. Results demonstrate that sustained phishing simulations and targeted training programs lead to a significant reduction in employee susceptibility, halving successful compromise rates within six months. Additionally, employee turnover introduces measurable fluctuations in awareness levels, underscoring the necessity of maintaining continuous training initiatives. These findings provide one of the few long-term perspectives on phishing awareness efficacy, highlighting the strategic importance of ongoing behavioral interventions in strengthening organizational cyber resilience. In order to support open science, we published our email templates, source code, and other materials at https://github.com/CorporatePhishingStudy