SAN DIEGO–Has your credit union or organization spent significant time and training to keep employees from clicking on bad links and being phished? A new study suggests and the time and trouble may not be all that effective.
The study involved nearly 20,000 employees at UC San Diego Health, a large California healthcare provider, and 10 simulated phishing attacks carried out against those employees over eight months between January and October 2023. UC San Diego Health uses the same cybersecurity-training programs as many organizations around the country, according to Computer.org.
To gauge the effectiveness of the annual training, the 10 authors cited in the study looked to see if there was a relationship between failure rates and how recently an employee had taken the training.
“Previous studies have shown that people’s security knowledge improves after taking training, but it fades after a few months,” Computer.org reported. “Given that, the researchers assumed that participants’ performance on the simulated phishing attacks should follow the same pattern: They should be more likely to fall for the attacks as time passes since they had the training. But in fact, they found that the failure rate stayed pretty much the same no matter how long ago they had the training.”
‘Did Not Provide Knowledge’
“That suggests the mandatory cyber awareness training did not provide beneficial security knowledge to users,” says Grant Ho, an assistant professor at the University of Chicago and one of the paper’s co-authors, told Computer.org. “The training might be ineffective for a lot of reasons.”
The authors of the study added that an issue could be that the “content might simply be bad or something all users already know; it could be that the way it communicates or tries to teach the material is ineffective; or it could be that the mandatory online format is something that users inherently will not learn from.”
Different Types of Training
According to the report, to measure the effectiveness of different methods of cybersecurity training, the authors divided employees into four groups.
“After each attack, each group received a different training method: one received generic tips about avoiding phishing attacks, a second received an interactive Q&A on cybersecurity, a third was informed about the specific methods used in the most recent attack, and the fourth received an interactive Q&A that also included details about the most recent attack,” the authors explained.
A fifth group was also created, and the employees in that group received no training.
‘Didn’t Engage’
“The authors found that on average, employees who received training of any sort had only a 1.7% lower failure rate than employees who had no training,” Computer.org stated. “One reason why the training had so little effect, the authors believe, is that most employees didn’t engage with the training material presented. When employees were directed to a training page they often ignored it. Employees spent less than one minute on the training page for over 75% of the sessions. And many employees closed the page immediately. That happened between 37% and 51% of the time in all four types of training.”
“A lot of times when employees click on a training module, one possible reason they leave immediately is because they are checking email or on the web for another purpose,” Ho told Computer.org
Most Effective, But…
According to the authors, training that included an interactive Q&A had more of an effect than other types, but only when the employee completed the Q&A module—and that hardly ever happened.
The study found the employees who completed the interactive Q&A were 19% less likely to fail future phishing simulations compared with users who received the interactive training but did not complete any of the sessions.
‘Underlying Character Difference’
“But the authors propose there could be an underlying character difference between employees who chose to complete the training entirely and those who did not,” Computer.org reported.
The study’s takeaway for organizations, Ho told Computer.org, is to rely on measures other than training, like phishing-detection software that automatically eliminates the need for employees to detect phishing attacks.
