In a scientific study involving thousands of test subjects, eight months and four different kinds of phishing training, the average improvement rate of falling for phishing scams was a whopping 1.7%.
“Is all of this focus on training worth the outcome?” asked researcher Ariana Mirian, a senior security researcher at Censys and recently a Ph.D. student at U.C. San Diego, where the study was conducted. “Training barely works.”
[…]
Dameff and Mirian wanted scientifically rigorous, real-world results. (You can read their academic paper here.) They enrolled more than 19,000 employees of the UCSD Health system and randomly split them into five groups, each member of which would see something different when they failed a phishing test randomly sent once a month to their workplace email accounts.
- Control: Its members got a 404 error if they clicked on a phishing link in the body of the email.
- Generic static: This group saw a static webpage containing general information about avoiding phishing scams.
- Generic interactive: This group was walked through an interactive question-and-answer exercise.
- Contextual static: A static webpage again, but this time showing the exact phishing lure the subject had received and pointing out the warning signs that were missed.
- Contextual interactive: An interactive Q&A session that walked the subject on what they missed in the specific lure they’d received.
Over the eight months of testing, however, there was little difference in improvement among the four groups that received different kinds of training. Those groups did improve a bit over the control group’s performance — by the aforementioned 1.7%.
Not what was expected
However, there were some lessons learned — not all expected. The first was that it helped a lot to change up the phishing lures. Most subjects saw right through a phishing email that urged the recipients to change their Outlook account passwords, resulting in failure rates between 1% and 4%.
But about 30% of users clicked on a link promising information about a change in the organization’s vacation policy. Almost as many fell for one about a change in workplace dress code.
“Whoever controls the lures controls the failure rates,” said Mirian. “It’s important to have different lures in your phishing training.”
Another lesson was that given enough time, almost everyone falls for a phishing email. Over the eight months of the experiment, just over 50% failed at least once.
“Given enough time, most people get pwned,” said Mirian. “We need to stop punishing people who fail phishing tests. You’d end up punishing half the company.”
[…]
Source: Phishing training is pretty pointless, researchers find | SC Media
And for a more guerrilla approach, you may want to look at this:
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft