Phishing awareness training is now commonly used by organizations to protect themselves from phishing scams, but its effectiveness depends upon approach.
Recent research has suggested that some phishing training leaves employees feeling overly confident in spotting security threats, in particular the phishing threat in business emails. However, when done correctly, a security culture program should result in employees that have an improved likelihood of identifying and treating phishing scams appropriately.
MWR’s phishd has found that using a traditional approach designed simply to raise awareness of phishing (typically a 30-60 minute web-based training course covering a wide range of security topics) has no meaningful impact on employees’ behavior. Far from creating overly confident employees, this approach in fact often fails to change employee security behavior at all.
In contrast, a security culture program that consists of a wide range of elements (of which simulated phishing campaigns and point-in-time education form just a small part) has proven to be successful in improving employee security behavior. Our metrics show an average reduction in susceptibility to phishing from upwards of 60% in some organizations to below 5% over 12 months.
Indeed, these figures suggest the concept of a well-rounded approach to security training creating overly confident employees that create security risks is either incorrect or significantly outweighed by the net reduction in risk by such an approach.
The only notable exception is IT departments where there is a tendency towards overconfidence - though this stems from the technical ability of employees in such departments rather than any security awareness or behavior training they might have been through.