Elevate Security and Cyentia Institute report examined malware, phishing, email security and other real world attack data. While security training results in slightly lower phishing simulation click rates among users, it has no significant effect at the organizational level or in real-world attacks. An increase in simulations and training can be counterproductive, with users with five or more training sessions more likely to click on a phishing link than those with little or no training. A small percentage of users (~7%) ever execute or download malware but that grows to 31% among departments.
Source: https://www.helpnetsecurity.com/2021/05/12/solve-human-risk/