We've All Been Wrong: Phishing Training Doesn't Work
The overwhelming majority of cyberattacks do occur due to some form of human error: an unwisely clicked link, a weak password, etc.
a team of 10 researchers from the University of Chicago, the University of California San Diego (UCSD), and UCSD Health performed a study of unprecedented scale in the cybersecurity industry. Over an eight month period in 2023, they studied the effects of phishing training on 19,789 personnel at UCSD Health, a large healthcare organization.
The intuitive sense behind the idea makes it extra compelling and may explain why it persists despite rigorous recent evidence to the contrary.
'We just need to make users aware.
the tips did not improve employees' ability to suss out real-life phishing emails. In fact, it actually had an unexpectedly regressive side effect: for having been exposed to the training, employees reported feeling safer online, seeing that their company was investing in cyber protections. Ironically, they ended up more likely to fall for bad emails.
Besides annual phishing courses, they examined four kinds of embedded training:
Static Web pages, developed by Proofpoint, with general tips on how to avoid phishing attacks
Interactive pages, with generalized Q&A exercises also sourced from Proofpoint's library
Static pages customized to the particular phishing email the employee had just fallen for
companies that deploy the most effective training courses available can expect a quarter of their employees to improve around 20%.
Static training demonstrated no benefit whatsoever, in no small part because employees simply weren't engaged.
Ironically, employees who completed multiple static training sessions became 18.5% more likely to fall for a phishing email.
The discouraging data piles on from there. Annual training is presumed to refresh employees' ability to fight bad emails, but the study found no such relationship — employees were approximately as likely to click a bad link one month after their course as they were after more than a year.
convincing phishing emails tricked even the most highly trained, best-performing employees more than 15% of the time, meaning that one well-crafted email can totally negate any benefits of any training at any company with more than a handful of employees.
What Now for Anti-Phishing Efforts?
With training we're saying: 'Hey, you are responsible, you need to learn.
Her study leaves open the possibility that certain, unexplored kinds of training could work, like more expensive, one-on-one in-person coaching.
"We're just saying the current methods aren't working."