Most corporate cybersecurity training does little to stop workers from falling for phishing scams, according to a large-scale study involving 19,500 employees at UC San Diego Health.
Researchers ran a randomized controlled trial over eight months, sending 10 types of phishing emails to staff. The study compared two training approaches: annual mandatory courses and “embedded” training that appears after an employee clicks on a simulated phishing link.
The results, presented at the Blackhat conference in Las Vegas and earlier at the IEEE Symposium on Security and Privacy, showed minimal impact from either method.
“There was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails,” the researchers said.
For embedded training, the difference in failure rates between employees who completed the training and those who did not was extremely small.
Low engagement with training materials
One reason for the lack of effectiveness is that most staff spent little or no time reviewing the follow-up material, said co-author Grant Ho, a faculty member at the University of Chicago who did some of the work while a postdoctoral researcher at UC San Diego.
Overall, 75 per cent of participants engaged with the embedded materials for less than a minute, while one-third closed the page immediately.
“This does lend some suggestion that these trainings, in their current form, are not effective,” said co-author Ariana Mirian, who worked on the project while completing a Ph.D. in computer science at UC San Diego.
Failure rates rose over time
Researchers found that more employees clicked on phishing links as the months went on. In the first month, about 10 per cent were fooled, but by the eighth month more than half had clicked on at least one link.
Some phishing messages were more convincing than others. Only 1.82 per cent of staff clicked on an email asking them to update their Outlook password. But nearly one in three clicked on a link claiming to update the health system’s vacation policy.
Recommendations for employers
Given the limited success of training, the researchers suggested organizations shift their focus to technical defences. Measures such as two-factor authentication and password managers that validate website domains would provide better protection and return on investment, they said.
The study was supported by the University of California’s “Be Smart About Safety” program, the U.S. National Science Foundation, and other academic and industry partners.
For more information, see https://today.ucsd.edu/story/cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams
