While the average response rates to any particular phishing email is about 20 percent, employees who click on one phishing email are 67 percent more likely than average to click on another one, with a click rate of 35 percent.
But their click rate falls to just 13 percent if they go through a third simulation exercise, 4 percent their fourth time through, and just 0.2 percent the fifth time.
"It is possible to change behavior," said Rohyt Belani, CEO at Leesburg, Vir.-based PhishMe, Inc.. "And we have metrics to prove it."
With the appropriate technology, employees can even become an active line of defense against phishing emails.
According to the study, one client employee base began reporting malicious attacks 15 minutes before anyone had actually downloaded the malicious attachment.
"You can turn people into a strong asset," Belani said. "We can get away from 'people are the weakest link.'"
In addition to running phishing simulations, Belani recommends that companies make it easy for employees to report malicious emails by adding a simple button to their Outlook screens.
Another approach that helps increase reporting is to show employees their personal accuracy scores for reporting malicious emails, and how they compare to the average at the company.
"People want to get better at this," he said.
To ensure that employees aren't simply learning to avoid the simulated phishing emails, PhishMe creates phishing templates based on actual phishing emails that the bad guys are sending out. There are currently more than 300 different templates that PhishMe sends out.
Across all companies, phishing emails pretending to be regular office communications tend to hit the hardest, with a 22 percent click-through rate.
Of those, emails that claim to have your scanned file have a 36 percent open rate.
There are differences in click-through rates for different times of the year, and different industries.
For example, education industry employees getting a package delivery email have a 49 percent click-through rate, while employees in the travel industry respond to these just 13 percent of the time.
During the holidays, common phishing emails include holiday e-cards, holiday sales and discount offers, travel notifications, and, of course, package deliveries.
PhishMe is currently sending emails to 15 million unique employees, with clients typically running four to 12 phishing simulations per year.