Common phishing trainings do not work. Or rather: an average 1.7 % of improvement over no training at all. This is the result of a recent study of IT security researchers of the University of California San Diego and the University of Chicago. Let’s talk about the reasons, and how we can improve on the current trend.
The paper, called “Understanding the Efficacy of Phishing Training in Practice”, was published at the 46th IEEE Symposium on Security and Privacy, one of the top venues for cybersecurity research. Congratulations to the authors for this achievement!
(Link to paper, Mirror)
The Setup
The study looked at two types of anti-phishing training: the “annual cybersecurity awareness training” and “embedded anti-phishing training exercises”.
The former is about employees getting a (usually mandatory) training in the form of online courses (there are a lot of web-based offerings that do this), or less often it is an in-person training. The effectiveness of regular security trainings is considered medium to high, depending on the quality of the trainings and the frequency which it is executed. Regular awareness trainings are also a popular compliance requirement, used to check if a company is doing enough to foster security awareness between employees. Research shows an inverse correlation between security awareness spendings and incidents: the more time spent teaching the employees, the fewer the number of incidents in a company.
The latter, “embedded anti-phishing trainings”, is a rather recent trend in security training: A cloud-based service sends several phishing mails to employees, often spread over several months, and the click rate is measured (the number of people that click the fake phishing link in a mail). Typically, the website behind the link clarifies the nature of the link (“it was a fake training mail”) and redirects the user to educational information about phishing, like “how to recognize phishing mails”.
Often, it also offers additional training courses to these topics. Known providers of these services are KnowBe4 (used in the study), SoSafe, and Hornet Security. But there are many more cybersecurity companies offering these kinds of services.
In my security consultant work, I found that almost all companies that “do awareness trainings” use a cloud-based service like that, deploying “phishing campaigns” for the coming year, and collecting the KPIs at the end of the year (how many people clicked, how many were detected or reported as phishing, etc.). Only to change nothing about it for the next year.
Does it work?
In the study, the authors tested both training types on 19k healthcare workers. The findings are:
- It does not matter if a user has had an annual security training when evaluating whether a user clicked on a phishing link. Even very recent trainings did not provide better results for users.
- Embedded phishing campaigns only reduced the average click rate by 2%
- When users clicked a phishing link and got redirected to the training page, they closed the website within 10 seconds, and “less than 24% of users” completed the training after a phishing event.
So, the obvious answer is: No, trainings do not seem to work for healthcare workers in the US. Or at least their impact on actual cybersecurity is extremely limited, despite the rather extensive costs of these offerings.
Sure, the study has this big limitation regarding the object of the study being works in one facility of US healthcare. But these findings align with similar studies done for different sectors, which found that training had no significant effect on the susceptibility to phishing. In simple words: yearly training with online courses does not change the likelihood that users clicked on phishing links. And that is the whole point of these trainings.
Another effect that is not too surprising for me, having worked with clients in healthcare, is that people do not follow through with trainings when they are caught clicking on (fake) phishing links.
A CTO at a hospital once said to me:
Yes, we do anti-phishing campaigns with fake emails, but we deactivated the forwarding to training material. If the doctors and medical personnel saw that after clicking on links, they would harshly complain to us about why we are wasting their time.
I am pretty confident this is similar in many companies in other sectors. Phishing training is such a big business, but the current market does not really offer effective measures, as phishing is still a major attack vector for companies.
What can we do then?
The study does not go into depth, but it mentions that users who had interactive trainings had the best phishing results. And in the end, this is an awareness and training problem. You can not use technology to fix issues caused by human nature.
I have seen trainings saying that Phishing is an email that wants you to enter a password, but the reality is much more complex. We have seen attacks where people are asked to send money, open attachments, or simply reply to establish a relationship between victim and attacker. Social engineering is much more than phishing and emails. The underlying problem is that humans want to trust other humans, and sometimes are under pressure to do their job fast, not safely.
Invest more time into interactive security awareness, and not just phishing! Talk openly about attacks, motivate your employees to be aware in their private life, let experts speak about these topics, and ultimately consider security in every step of a business process. What this means: If you estimate how much time a project might need, consider security aspects like:
- “how do I share these documents safely”,
- “how do I make sure that my people (aka employees) can not do any mistakes that lead to a security incident”,
- “what can I do to make the process safe, but also viable and effective?”
In many cases, this means: we need more budget. Of course, security comes at a cost, but you always need to consider the potential damage to your company through a successful attack. This is what we call Risk Management and one of the main pillars of good cybersecurity.
And if you do not know where to start: Hire people that understand this and are able to communicate on your level. That is the best way to stop burning cash for “trainings” and develop a successful security culture.
Photo by Nick Morrison on Unsplash
Be First to Comment