"These are all very important learnings for our end users," Rocco said. "And people love it."
It helps that the security training is also often applicable to employees' personal computer use, he added.
One effect of the security training is that employees are now reporting strange emails or other happenings. That means that if the company is being specifically targeted, even if some employees still fall for phishing emails, others will have spotted them and alerted the security team that there's something going on.
Rocco said that there's also been a a strong decrease in malware across the network.
Obviously, no system is perfect. In fact, there were two recent incidents in which two employees fell victim to CryptoLocker. When the company investigated, it turned out that one of the employees had not taken the training, and the other received a poor grade.
In addition to Wombat, several other vendors are happy to send simulated phishing attacks against your employees. They include PhishMe, which counts 35 of the Fortune 500 as customers. Others are ThreatSim, SynerComm, PhishingBox, and KnowBe4.
But this kind of simulation-based training is still new to the industry, said Seth Robinson, senior director of technology analysis at Computing Technology Industry Association
"I have talked to some companies who have done this kind of training, and that does tend to be one of the premiere examples of what security training should look like," he said. "Companies who have tried that show some success."
But comprehensive, ongoing simulation-based security training is rare.
"Our data shows that not many companies are doing serious training," he said.
Instead, he said, companies are still more likely to give a copy of a security policy to newly-hired employees and ask them to sign.
Creating a cultural shift
When security training means checking off a compliance box, it's hard to get people to pay attention, much less take it to heart.
"But if good security hygiene permeates a company, then it's something that can be successful," said Siobhan MacDermott, principal in the cybersecurity practice at Ernst & Young. "We work with a lot of boards and senior management in setting up security awareness programs. And we go back and see if there's a change in behavior."
The main factor that makes a difference is whether the behavior is modeled by the most senior executives, all the way down.
"It can't be just implemented from HR," she said.
Sign up for CIO Asia eNewsletters.