Our results suggest that these efforts offer limited value.
First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation.
Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content.
Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations.
Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.
I've long been of the view that most of the "phishing training" that gets sold to companies is largely snake oil with very little benefit, and is essentially a compliance-driven waste of money. It's nice to see a study supporting this view.
ericalexander0 · 3h ago
Security people will argue forever “defense in depth” this, “real world doesn’t match the study” that. Yawn.
Here’s the hard truth: cybersecurity today is basically fashion. It’s not science, it’s herd behavior. The industry is still running on the “nobody gets fired for buying IBM” mentality. Careers aren’t built on being right, they’re built on chasing whatever tool is trending on LinkedIn this quarter.
If studies like this mattered, then the security community would have paid attention to this study long ago:
First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation.
Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content.
Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations.
Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.
I've long been of the view that most of the "phishing training" that gets sold to companies is largely snake oil with very little benefit, and is essentially a compliance-driven waste of money. It's nice to see a study supporting this view.
Here’s the hard truth: cybersecurity today is basically fashion. It’s not science, it’s herd behavior. The industry is still running on the “nobody gets fired for buying IBM” mentality. Careers aren’t built on being right, they’re built on chasing whatever tool is trending on LinkedIn this quarter.
If studies like this mattered, then the security community would have paid attention to this study long ago:
https://er.educause.edu/articles/2005/1/fostering-email-secu...