Employees are still highly vulnerable to phishing scams despite repeated awareness efforts.
A new academic study has raised fresh doubts over the effectiveness of cybersecurity training
Researchers from UC San Diego, University of Chicago, and US San Diego Health conducted ten simulated phishing campaigns over an eight-month period, targeting more than 19,500 staff at a major U.S. healthcare organisation. reports Cybernews.
They found no improvement in click rates over time, with one individual falling for every single phishing test. More than half of the employees (56%) clicked at least one malicious link during the trials, while more than a quarter failed at least twice. Nearly ten percent failed three or more times, and one user clicked on all ten phishing messages.
Among the most convincing lures were emails on everyday workplace issues, including vacation policies, dress codes, and traffic tickets, with one “vacation policy” message successfully deceiving 30.8% of recipients.
Perhaps most concerning for security leaders, the study found that traditional classroom-style or static awareness training had little measurable effect on user behaviour. In some cases, those with repeated training were more likely to fail phishing tests.
The only modest improvement came from “embedded training,” where employees were immediately shown an educational page after clicking a phishing link, which reduced future failures by just 1.7%. Researchers concluded that current approaches are failing to change risky user behaviour, leaving organisations exposed to one of the most common and damaging forms of cyber-attack.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
