Phishing Training Might Be Missing the Mark?

Recent findings from a study carried out by UC San Diego Health (Jan–Oct 2023) delivered some very interesting results: phishing awareness training that most organizations rely on, may not be delivering the impact we expected.

Summary:

• Annual awareness training yields no measurable benefit. The study found no correlation between the timing of a user’s cybersecurity training and their likelihood of failing simulated phishing tests.

• Embedded phishing training offers only minimal protection. While statistically significant, the reduction in phishing click-through rates was just 1.7% on average, even after controlling for factors.

• User engagement with training is extremely low. Very few users engage with embedded training in-the-wild, users only complete 15–24% of interactive training sessions.

• Static training may backfire. It was found that users who complete multiple static training sessions have a 18.5% increased likelihood of failing for each additional training they complete.

• Interactive training shows promise, but only when users engage. Those few who completed interactive modules saw a 19% reduction in future phishing failures, though the absolute number of users who fully engaged remains very low.

  
  

Options:

1. Reevaluate training investments. Annual modules and standard embedded tests may provide minimal real-world protection.

2. Prioritize interactive, engaging designs. Static information pages are not just ineffective; they may even be harmful if over relied upon.

3. Raise engagement levels. Without real user interaction, even the most sophisticated training won’t stick.

4. Consider alternative approaches. Think beyond training, simulated phishing shouldn’t stand alone. Boost threat detection tools, testing regimes, and proactive defences.

   
   

How do you plan to evolve your training strategy?

Read the full paper here: https://arianamirian.com/docs/ieee-25.pdf