One employee out of 19,500 fell for a simulated phishing email every time during an eight-month research period, despite all the cybersecurity training efforts.
An extensive new study has revealed that cybersecurity training has practically no impact on the likelihood of falling victim to phishing.
Over a period of eight months, researchers conducted ten simulated phishing campaigns sent to over 19,500 employees at a major US healthcare organization and observed no improvement.
The first finding was that the recent completion of cybersecurity awareness training had no significant correlation with reduced phishing failures.
It gets even worse.
“Users who have completed multiple static training sessions have an increased likelihood of failing a phishing exercise,” reads the paper by researchers from UC San Diego, University of Chicago, and US San Diego Health.
A minuscule improvement, only by 1.7% lower future failure rate, was only observed in recipients of embedded phishing training, a real-time intervention provided to users in real time, after they fail a simulated phishing attempt. Think of it as a website that opens when a phishing link is clicked, informing users that they’ve been tricked.
“We find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content,” the researchers concluded.
Too many people fall for phishing lures
The danger of phishing is better illustrated by the number of recipients who fell for fabricated scams: 56% of users clicked on at least one out of ten phishing links during the study.
Repeated failures are also alarming, with 25.9% of users failing at least two phishing simulations and 9.8% failing at least three out of ten. Only one individual clicked on links in all ten phishing emails.
Some of the most effective phishing lures were related to vacation policy, dress code, and traffic ticket, all tricking over 20% of receivers.
The most successful Vacation Policy campaign came from human resources. Its subject was “Updated vacation and sick time policy,” and it notified the recipient that there was a new vacation and sick time policy. It tricked 30.8% of receivers.
The researchers measured the time the users spent on the embedded training materials on the “phishing page,” and the result was disappointingly low.
“Over half of all training sessions end within 10 seconds, and less than 24% of users formally complete the training materials.”
Despite all the training and efforts, the failure rates among all groups were still over 15% for several phishing simulations.
The paper doesn’t include suggestions for solving the complex phishing problem. The researchers recommend that future work should focus on increasing user engagement with the training material.
“Combined with the bulk of empirical evidence from other studies involving real-world, controlled experiments, our results suggest that organizations should not expect large anti-phishing benefits from either annual security awareness training or embedded phishing as commonly deployed today.”
Your email address will not be published. Required fields are markedmarked