Phishing training offers minimal benefits: Grant Ho, assistant professor of computer science at The University of Chicago collaborated with UC San Diego and UC San Diego Health to evaluate the efficacy of annual training and embedded phishing training. In their research, they analyzed how approximately 20,000 employees at UCSD Health handled simulated phishing campaigns across eight months. They found no evidence that annual cybersecurity training improves employees’ phishing failure rates.”We basically found there was no difference in the user’s susceptibility to phishing for people who had just completed their training versus people who had completed the training a long time ago,” says Ho.The results for embedded training were little better. The researchers found that 37% to 51% of training sessions get no user engagement. They simply close the page. “Our results suggest that training as it’s currently deployed today is definitely by itself going to be insufficient for protecting others against phishing and may not yield the benefits that people are maybe conceiving or expecting it to produce,” says Ho.Why is training so ineffective? User engagement and user behavior are big pieces of the puzzle. People often do not engage in the training, and even when they do, they don’t have great information retention.”Training is just another thing to put on the to-do list that’s not billable,” Oksenhendler points out.People know about phishing. They know how much damage these attacks can cause. But they are busy managing their own workloads. Training as it exists today is something that they can either ignore or rush through to check off their list. Imagine all the employees inundated with their own work and relentless phishing attacks. All it takes is one distracted click.”Cyber training fatigue continues to exist,” says Chiranjeev “CJ” Bordoloi, director and cofounder of the National Cybersecurity Society (NCSS). “When you have fatigue, that usually leads to apathy.”
How security leaders can rethink phishing training: If training was lagging before, it risks falling even further behind as threats evolve. Phishing is only getting better with generative AI in the mix. Security leaders have their work cut out for them. Training needs to evolve, and it is just one piece in a much bigger, cultural puzzle.”If the C-suite and leadership are not security culture-minded, then it’s not going to be a problem until they’re on the cover of the Washington Post or they have to pay a massive fine to somebody,” says Oksenhendler.Taking any element of cybersecurity, training or otherwise, from a check-the-box approach to an integrated cultural value is a significant lift. Getting better at stopping phishing attacks isn’t just about getting more dollars and buy-in at the top. It is also about changing the behavior of individual users, which is arguably more difficult.”User behavior is not technical at all. User behavior is prehistoric,” says Bordoloi. “You can’t really change user behavior with one training session.”Ilany-Tzur conducted a study that offers insight into user behavior and their vulnerability to phishing attacks. This research reveals that the type of device plays a role in user behavior; PC users are more likely to make risky clicking choices than mobile users. Understanding how user behavior varies across different devices could help security leaders make more nuanced decisions regarding training and other phishing protection measures.Right now, there is no one answer that unlocks the door to the most effective phishing training program. But the experts are looking. Ilany-Tzur is interested in a behavioral perspective. “A key interesting question is: What is the exact psychological mechanism, the design of the alternative, that will encourage people to avoid those risks?” she asks.She points to System 1 and System 2 models of the thinking described by psychologist Daniel Kahneman, the former referring to automatic and emotional thinking and the latter rational, considered thinking. “It’s about this automatic mindset and System 1 behavior,” says Ilany-Tzur. “How can we train users automatic reactions to be the right ones (i.e., not clicking that suspicious link)?”The answer to that question is an open-ended one. Ilany-Tzur argues that users need to learn an easy set of behaviors they can rely on following an attempted phishing attack. “What should I do in this at this point? Who should I contact? What is the hotline to report it? What is the behavior?” she says. “I’m aware of the risk, but what are my easy go-to actions to deal with an attack?”Rewriting human behavior is a huge mountain to scale. Security leaders don’t need to grab their climbing gear, but that doesn’t mean they should toss up their hands and take the attitude of some training, even if it isn’t working, is better than nothing.Phishing training can change; there are indications that gamification of security training increases user engagement. Enterprises can make that training more interactive and sweeten the deal with incentives. “You can reward people with something as small as a gift card,” says Bordoloi. “If there’s a major attack that’s defended against, you can even reward teams with an offsite or something fun.”On the other side of that, there is the possibility of instituting penalties for repeat failure to complete or pass phishing training. While the carrot-and-stick approach has its appeal, it is also important for security leaders to recognize the value of their training approaches. It doesn’t make much sense to punish or reward people for engaging with a training program that isn’t even effective in the first place.Is a training program meeting people where they are at? Does it cater to different styles of learning? Does it consider the proliferation of work-from-home and hybrid employment models?
The work does not stop when the training is done: The ultimate question, is my phishing training program working, should have an actual answer or at least there should be an effort to answer it. There are metrics to look at. Are people completing the training? How many people are falling? Are the same people failing repeatedly? How many real-world phishing attempts has an organization successfully stopped, or not?Understanding what works and what doesn’t for these training programs is an ongoing process, and one that appears to need a big overhaul.”It’s going to take an outside-the-box approach. Blow up the norm, and come up with something that’s creative, that meets people where they are, that is not a slog,” says Oksenhendler. “But it also [should] drive home that we’re serious about security, so you need to be serious about security.”Training can always get better, but it is never going to be enough when humans, as all security leaders know, are the most vulnerable target for cyberattacks. And even the best training methods cannot stand alone.”Phishing training, by and large, is not a very effective way to reduce an organization’s susceptibility to attacks,” says Ho. “Deploy other measures, for example, two-factor authentication or phishing detection, to really protect your organization against these attacks.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4071289/what-to-consider-to-make-your-enterprise-phishing-training-effective.html
