{"id":14966,"date":"2025-10-16T07:04:21","date_gmt":"2025-10-16T07:04:21","guid":{"rendered":"https:\/\/newestek.com\/?p=14966"},"modified":"2025-10-16T07:04:21","modified_gmt":"2025-10-16T07:04:21","slug":"phishing-training-needs-a-new-hook-heres-how-to-rethink-your-approach","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14966","title":{"rendered":"Phishing training needs a new hook \u2014 here\u2019s how to rethink your approach"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Phishing is a tried-and-true attack vector. These attacks account for 15% of all data breaches<\/a>, according to IBM. Security leaders are well aware of the risks, and it is standard for enterprises to put their employees through from some kind of phishing training. But that training doesn\u2019t seem to be making users, and by extension their employers, any less vulnerable.<\/p>\n

\u201cEven though we see higher levels of awareness of the risks and danger, we still see increasing numbers of successful attacks,\u201d says Naama Ilany-Tzur, assistant teaching professor, information systems at Carnegie Mellon University.<\/p>\n

Simply looking at the volume of phishing attacks will tell you that something else has to be done. Plus, there is mounting research that shows just how ineffective phishing training is. Where does that leave security leaders who are often the ones in charge of leading these training programs? They need to evaluate their enterprises\u2019 current phishing training strategies, consider the potential gaps and explore ways to change their approach.<\/p>\n

Common approaches to phishing training<\/h2>\n

Annual cybersecurity training is a natural place for phishing awareness. After all, it is one of many attack vectors that busy workers need to know about.<\/p>\n

\u201cThe phishing training I have taken over years has always been part of general security awareness training,\u201d says Jason Oksenhendler, cybersecurity director with advisory firm Baker Tilly. \u201cIt\u2019s once a year through a learning management system. Some people pay attention to it, some people don\u2019t.\u201d<\/p>\n

Many enterprises also rely on embedded phishing training. An employee engages with a simulated phishing lure, like opening an email, and they are redirected to a webpage that offers information and perhaps a quiz on phishing.<\/p>\n

It makes sense that these two approaches are widely used. Companies want to raise awareness of common cybersecurity issues, and embedded training is a point-in-time intervention. So, what\u2019s the problem?<\/p>\n

Phishing training offers minimal benefits<\/h2>\n

Grant Ho, assistant professor of computer science at The University of Chicago <\/a>collaborated<\/a> with UC San Diego and UC San Diego Health to evaluate the efficacy of annual training and embedded phishing training. In their research, they analyzed how approximately 20,000 employees at UCSD Health handled simulated phishing campaigns across eight months. They found no evidence that annual cybersecurity training improves employees\u2019 phishing failure rates.<\/p>\n

\u201cWe basically found there was no difference in the user\u2019s susceptibility to phishing for people who had just completed their training versus people who had completed the training a long time ago,\u201d says Ho.<\/p>\n

The results for embedded training were little better. The researchers found that 37% to 51% of training sessions get no user engagement. They simply close the page. \u201cOur results suggest that training as it\u2019s currently deployed today is definitely by itself going to be insufficient for protecting others against phishing and may not yield the benefits that people are maybe conceiving or expecting it to produce,\u201d says Ho.<\/p>\n

Why is training so ineffective? User engagement and user behavior are big pieces of the puzzle. People often do not engage in the training, and even when they do, they don\u2019t have great information retention.<\/p>\n

\u201cTraining is just another thing to put on the to-do list that\u2019s not billable,\u201d Oksenhendler points out.<\/p>\n

People know about phishing. They know how much damage these attacks can cause. But they are busy managing their own workloads. Training as it exists today is something that they can either ignore or rush through to check off their list. Imagine all the employees inundated with their own work and relentless phishing attacks. All it takes is one distracted click.<\/p>\n

\u201cCyber training fatigue continues to exist,\u201d says Chiranjeev \u201cCJ\u201d Bordoloi, director and cofounder of the National Cybersecurity Society (NCSS). \u201cWhen you have fatigue, that usually leads to apathy.\u201d<\/p>\n

How security leaders can rethink phishing training<\/h2>\n

If training was lagging before, it risks falling even further behind as threats evolve. Phishing is only getting better<\/a> with generative AI in the mix. Security leaders have their work cut out for them. Training needs to evolve, and it is just one piece in a much bigger, cultural puzzle.<\/p>\n

\u201cIf the C-suite and leadership are not security culture-minded, then it\u2019s not going to be a problem until they\u2019re on the cover of the Washington Post or they have to pay a massive fine to somebody,\u201d says Oksenhendler.<\/p>\n

Taking any element of cybersecurity, training or otherwise, from a check-the-box approach to an integrated cultural value is a significant lift. Getting better at stopping phishing attacks isn\u2019t just about getting more dollars and buy-in at the top. It is also about changing the behavior of individual users, which is arguably more difficult.<\/p>\n

\u201cUser behavior is not technical at all. User behavior is prehistoric,\u201d says Bordoloi. \u201cYou can\u2019t really change user behavior with one training session.\u201d<\/p>\n

Ilany-Tzur conducted a study<\/a> that offers insight into user behavior and their vulnerability to phishing attacks. This research reveals that the type of device plays a role in user behavior; PC users are more likely to make risky clicking choices than mobile users. Understanding how user behavior varies across different devices could help security leaders make more nuanced decisions regarding training and other phishing protection measures.<\/p>\n

Right now, there is no one answer that unlocks the door to the most effective phishing training program. But the experts are looking. Ilany-Tzur is interested in a behavioral perspective. \u201cA key interesting question is: What is the exact psychological mechanism, the design of the alternative, that will encourage people to avoid those risks?\u201d she asks.<\/p>\n

She points to System 1 and System 2 models of the thinking described by psychologist Daniel Kahneman, the former referring to automatic and emotional thinking and the latter rational, considered thinking. \u201cIt\u2019s about this automatic mindset and System 1 behavior,\u201d says Ilany-Tzur. \u201cHow can we train users automatic reactions to be the right ones (i.e., not clicking that suspicious link)?\u201d<\/p>\n

The answer to that question is an open-ended one. Ilany-Tzur argues that users need to learn an easy set of behaviors they can rely on following an attempted phishing attack. \u201cWhat should I do in this at this point? Who should I contact? What is the hotline to report it? What is the behavior?\u201d she says. \u201cI\u2019m aware of the risk, but what are my easy go-to actions to deal with an attack?\u201d<\/p>\n

Rewriting human behavior is a huge mountain to scale. Security leaders don\u2019t need to grab their climbing gear, but that doesn\u2019t mean they should toss up their hands and take the attitude of some training, even if it isn\u2019t working, is better than nothing.<\/p>\n

Phishing training can change; there are indications that gamification of security training increases user engagement. Enterprises can make that training more interactive and sweeten the deal with incentives. \u201cYou can reward people with something as small as a gift card,\u201d says Bordoloi<\/a>. \u201cIf there\u2019s a major attack that\u2019s defended against, you can even reward teams with an offsite or something fun.\u201d<\/strong><\/p>\n

On the other side of that, there is the possibility of instituting penalties for repeat failure to complete or pass phishing training. While the carrot-and-stick approach has its appeal, it is also important for security leaders to recognize the value of their training approaches. It doesn\u2019t make much sense to punish or reward people for engaging with a training program that isn\u2019t even effective in the first place.<\/p>\n

Is a training program meeting people where they are at? Does it cater to different styles of learning? Does it consider the proliferation of work-from-home and hybrid employment models?<\/p>\n

The work does not stop when the training is done<\/h2>\n

The ultimate question, is my phishing training program working, should have an actual answer or at least there should be an effort to answer it. There are metrics to look at. Are people completing the training? How many people are falling? Are the same people failing repeatedly? How many real-world phishing attempts has an organization successfully stopped, or not?<\/p>\n

Understanding what works and what doesn\u2019t for these training programs is an ongoing process, and one that appears to need a big overhaul.<\/p>\n

\u201cIt\u2019s going to take an outside-the-box approach. Blow up the norm, and come up with something that\u2019s creative, that meets people where they are, that is not a slog,\u201d says Oksenhendler<\/a>. \u201cBut it also [should] drive home that we\u2019re serious about security, so you need to be serious about security.\u201d<\/p>\n

Training can always get better, but it is never going to be enough when humans, as all security leaders know, are the most vulnerable target for cyberattacks. And even the best training methods cannot stand alone.<\/p>\n

\u201cPhishing training, by and large, is not a very effective way to reduce an organization\u2019s susceptibility to attacks,\u201d says Ho. \u201cDeploy other measures, for example, two-factor authentication or phishing detection, to really protect your organization against these attacks.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Phishing is a tried-and-true attack vector. These attacks account for 15% of all data breaches, according to IBM. Security leaders are well aware of the risks, and it is standard for enterprises to put their employees through from some kind of phishing training. But that training doesn\u2019t seem to be making users, and by extension their employers, any less vulnerable. \u201cEven though we see higher… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14966","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14966","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14966"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14966\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14966"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}