Today we will review a new study that was recently released: Understanding the Efficacy of Phishing Training in Practice.
Here is an ai generated podcast summary of the paper, but also below is a great overview.
Mandatory security awareness training sounds about as fun as watching paint dry! It’s no surprise that employees aren’t exactly jumping for joy at the thought of completing these modules. And let’s be honest, who can blame them?
The study at UCSD Health suggests that these annual training sessions might not be worth the time and effort. Employees who completed the training were just as likely to fall for phishing scams as their colleagues who hadn’t. It’s like sending someone to a self-defense class where they learn all the moves but still get knocked out in the first round.
The sources also question the effectiveness of embedded phishing training. This type of training is supposed to be more engaging because it’s delivered in the moment when an employee clicks on a phishing link. The idea is to create a “teachable moment.” The problem is that most employees simply aren’t paying attention! Many close the training window immediately, and less than a quarter actually bother to complete the modules. It seems that getting tricked into clicking a phishing link isn’t enough of a wake-up call to get people to invest in their cybersecurity education!
However, there is a glimmer of hope in the sources. The UCSD Health study found that interactive training, where employees have to answer questions about phishing warning signs, was more effective than simply presenting them with information about phishing. Think of it as the difference between reading a textbook about swimming and actually getting in the pool with a coach. Hands-on experience tends to be more effective.
But even the most interactive training won’t help if employees aren’t paying attention. The sources suggest that organizations should explore new ways to make training more engaging and relevant to employees’ daily work. Maybe gamification, personalized content or even a little friendly competition could spice things up.
In the end, the sources argue that organizations need to go beyond training and implement stronger technical measures to protect their employees. Think of it this way: It’s great to teach people how to avoid poison ivy, but it’s even better to build a fence around the patch! Technical solutions like multi-factor authentication can provide an extra layer of protection that doesn’t rely solely on human vigilance.