Study shows mandatory cybersecurity courses do not stop phishing attacks

S

Skye Jacobs

Posts: 1,918   +58
Staff
Facepalm: A new study of nearly 20,000 employees at UC San Diego Health raises questions about one of corporate America's most common defenses against cybercrime: mandatory phishing awareness training. Despite a broad push among companies and government agencies to educate workers on spotting online scams, the research suggests these programs may have little to no effect in preventing employees from falling for phishing attacks.

The eight-month study, conducted in 2023, involved 10 simulated phishing campaigns targeting staff across the California health system. Researchers sought to determine whether the standard annual training, widely used across industries, enhanced employees' ability to identify and avoid malicious emails. Instead of showing a gradual decline in attentiveness over time, as the researchers had expected, the results revealed no significant difference in failure rates, regardless of when workers last underwent training.

"That suggests the mandatory cyber awareness training did not provide beneficial security knowledge to users," Grant Ho, an assistant professor at the University of Chicago and a co-author of the study, told The Wall Street Journal.

The researchers found that employees who completed any form of training performed only marginally better than those who received none, with average failure rates reduced by just 1.7 percent. The consistency of failure rates, even immediately after training sessions, suggested that the programs had little impact on changing employee behavior.

Ho said there may be several reasons for the disappointing results. The material might be too generic, poorly designed, or presented in a format – typically a required online module – that employees are unlikely to absorb; many just tuned it out. Data showed that during simulated training sessions, employees spent less than a minute engaging with the material in more than three-quarters of cases. In 37 to 51 percent of sessions, employees closed the training page immediately. "A lot of times when employees click on a training module, one possible reason they leave immediately is because they are checking email or on the web for another purpose," Ho said.

To test whether different training styles were more effective, the study divided employees into multiple groups after each phishing simulation. Some were given general cybersecurity tips, while others received interactive Q&A modules, detailed briefings on the attack they had just encountered, or a combination of both. A separate control group of employees received no follow-up training.

The findings showed that interactive Q&A lessons provided the most measurable benefit, but only if staff members completed them. Although completion rates were low, employees who finished the interactive training were 19 percent less likely to fall for a phishing email. Still, because so few workers participated fully, the effectiveness of the program across the workforce remained negligible. Researchers noted that those who complete training may already be more conscientious, raising the possibility that personality traits, rather than the material itself, explain the difference.

Phishing remains one of the most common and damaging forms of cyberattack. Employees who click on fraudulent links or attachments can expose entire networks to intrusion. However, this study suggests that relying solely on human awareness training leaves organizations vulnerable.

Ho and his co-authors argue that companies should not abandon training altogether, but rather consider it one part of a broader defensive strategy. They suggest that automated tools capable of identifying and blocking suspicious messages before they reach inboxes are a more reliable safeguard.

"Training as it is commonly deployed," Ho said, "does not provide sufficient protection from phishing on its own."

Permalink to story:

Study shows mandatory cybersecurity courses do not stop phishing attacks

 
We should study those who conducted this study, to see how they managed to do everything wrong.

We've seen a significant decline in people falling for phishing emails since we implemented mandatory training. Perhaps the problem here is UC San Diego Health?

"The material might be too generic, poorly designed, or presented in a format – typically a required online module – that employees are unlikely to absorb; many just tuned it out."

Ahhh, there it is. So the training is not useless, the employees are too lazy to take training seriously. This is not a training problem, this is a personnel problem. See, we punish people who fall for phishing emails after they receive training, so the employees actually take it seriously. Funny how that works....
 
  • Like
Reactions: Scrye74, allis0, letsgoiowa and 5 others

Theinsanegamer said:
…the employees are too lazy to take training seriously. This is not a training problem, this is a personnel problem. See, we punish people who fall for phishing emails after they receive training, so the employees actually take it seriously. Funny how that works....
Click to expand...

100% this. Tie security training to employee performance reviews. What a bloated waste of money this “research” was if that’s the best analysis recommendation they can come up with.
 
  • Like
Reactions: Karlos95, Theinsanegamer and riev90
There was a time in my life when I managed the IT department. Gen-X consistently needed the least help with things like this. I imagine that still holds true?
 
  • Like
Reactions: Shawnr325
This basically confirms what everyone suspected... clicking through a 15-minute slideshow once a year isn’t going to magically turn Karen from accounting into a cybersecurity expert.
 
  • Like
Reactions: Karlos95
When I was serving in the Army, we had safety briefs every Friday, yet we still got at least two DUIs each month. At this point in my career, I can confidently say that in any organization with more than three people, someone is going to screw up—regardless of the preventive measures in place.
 
  • Like
Reactions: Shawnr325
The company should hire someone to do phishing attacks on itself. Those that fall for the attacks have to go on mandatory lunchtime courses. Those that report the attacks should get some minor reward. If people repeatedly fall for these phishing attacks (and their permissions pose a risk) then their roles need to be reassessed.
 
Theinsanegamer said:
We should study those who conducted this study, to see how they managed to do everything wrong.

We've seen a significant decline in people falling for phishing emails since we implemented mandatory training. Perhaps the problem here is UC San Diego Health?

"The material might be too generic, poorly designed, or presented in a format – typically a required online module – that employees are unlikely to absorb; many just tuned it out."

Ahhh, there it is. So the training is not useless, the employees are too lazy to take training seriously. This is not a training problem, this is a personnel problem. See, we punish people who fall for phishing emails after they receive training, so the employees actually take it seriously. Funny how that works....
Click to expand...
yup. Automated phishing campaigns go out weekly. You fall for it, you take your training again. After you take that training 4-5 times, you stop falling for it or further disciplinary action. We do the same thing.

It will never stop 100% of it. A online module alone is useless. Click next next next, complete module. Learned nothing except how to click next.
 
  • Like
Reactions: Theinsanegamer
NumberNine said:
The training is step one.
Firing people who still click is step two.
Step two is unpleasant, but so very crucial.
Click to expand...

The only phishing e-mails I get on the job are from the IT department. I'm tempted to click on them just for fun...if I sent out phishing e-mails company-wide, I would be fired. Why do they get to have all the fun.
 
There is NO Single thing that can stop Phishing. It takes Tools and Education together.

Example...You can implement MFA but if you don't educate users they will still approve MFA logins that they did not initiate.
 
  • Like
Reactions: lonetac
TheBigT42 said:
There is NO Single thing that can stop Phishing. It takes Tools and Education together.

Example...You can implement MFA but if you don't educate users they will still approve MFA logins that they did not initiate.
Click to expand...
hence how Uber got hacked, MFA fatigue.
 
The material might be too generic, poorly designed, or presented in a format – typically a required online module – that employees are unlikely to absorb; many just tuned it out
Click to expand...

Yup. A lot depends on the presentation and format. And the presenter themselves of course. I refused to hold these trainings online, everyone was required to actually come in. I'm not interested in peeps tuning in just to be included in the attendance report and do their laundry during the session. Totally pointless.

I'm not a fool, I'm perfectly aware that 99% of people truly HATE to dedicate time to a training about security. No one cares, it's a burden for them and nothing else. It's unreasonable to expect any kind of online MANDATORY training to achieve anything.
 
  • Like
Reactions: human7
Theinsanegamer said:
Ahhh, there it is. So the training is not useless, the employees are too lazy to take training seriously. This is not a training problem, this is a personnel problem. See, we punish people who fall for phishing emails after they receive training, so the employees actually take it seriously. Funny how that works....
Click to expand...

Have you considered your attitude may be part of the problem?
"No no, our training is not designed in a bad and boring way, it is the trainee's problem, being forced to sit trough the same shitshow on a yearly basis while probably under time pressure to get actual work done. You won't take the crap we throw at you? Bad luck, her comes punishment, bow down to your masters and eat the crap we feed you"
I work in IT myself and am painfully forced through these ridiculous trainings myself, trust me, I can't listen to it for longer than 30seconds myself.


 
  • Like
Reactions: human7
My Global company had frequent mandatory phishing awareness training classes! The company even sent out Test phishing emails! I heard if you click the link in the message without reporting it you had to go through retraining, if you did it again you lost your internet privileges for a month and a third time would get you fired!😲 I never had a problem recognizing the test messages but I heard an older lady that had been with the company for 18 years was forced to retire because she kept clicking the links in the test messages!😢
 
You must log in or register to reply here.

Similar threads

midian182
GitHub Copilot will use your data for AI training by default, but you can opt out
Replies
2
Views
105
NumberNine
NumberNine
Daniel Sims
Hackers tricked Meta's AI chatbot into handing over Instagram accounts, including Obama's
Replies
2
Views
10
p51d007
p51d007
midian182
TSMC workers threaten Samsung-style strike over rumored bonus cuts despite record profits
Replies
6
Views
24
Theinsanegamer
T

Latest posts

Back