Phishing training needs a new hook — here’s how to rethink your approach

Phishing is a tried-and-true attack vector. These attacks account for 15% of all data breaches, according to IBM. Security leaders are well aware of the risks, and it is standard for enterprises to put their employees through from some kind of phishing training. But that training doesn’t seem to be making users, and by extension their employers, any less vulnerable.

“Even though we see higher levels of awareness of the risks and danger, we still see increasing numbers of successful attacks,” says Naama Ilany-Tzur, assistant teaching professor, information systems at Carnegie Mellon University.

Simply looking at the volume of phishing attacks will tell you that something else has to be done. Plus, there is mounting research that shows just how ineffective phishing training is. Where does that leave security leaders who are often the ones in charge of leading these training programs? They need to evaluate their enterprises’ current phishing training strategies, consider the potential gaps and explore ways to change their approach.

Common approaches to phishing training

Annual cybersecurity training is a natural place for phishing awareness. After all, it is one of many attack vectors that busy workers need to know about.

“The phishing training I have taken over years has always been part of general security awareness training,” says Jason Oksenhendler, cybersecurity director with advisory firm Baker Tilly. “It’s once a year through a learning management system. Some people pay attention to it, some people don’t.”

Many enterprises also rely on embedded phishing training. An employee engages with a simulated phishing lure, like opening an email, and they are redirected to a webpage that offers information and perhaps a quiz on phishing.

It makes sense that these two approaches are widely used. Companies want to raise awareness of common cybersecurity issues, and embedded training is a point-in-time intervention. So, what’s the problem?

Phishing training offers minimal benefits

Grant Ho, assistant professor of computer science at The University of Chicago collaborated with UC San Diego and UC San Diego Health to evaluate the efficacy of annual training and embedded phishing training. In their research, they analyzed how approximately 20,000 employees at UCSD Health handled simulated phishing campaigns across eight months. They found no evidence that annual cybersecurity training improves employees’ phishing failure rates.

“We basically found there was no difference in the user’s susceptibility to phishing for people who had just completed their training versus people who had completed the training a long time ago,” says Ho.

The results for embedded training were little better. The researchers found that 37% to 51% of training sessions get no user engagement. They simply close the page. “Our results suggest that training as it’s currently deployed today is definitely by itself going to be insufficient for protecting others against phishing and may not yield the benefits that people are maybe conceiving or expecting it to produce,” says Ho.

Why is training so ineffective? User engagement and user behavior are big pieces of the puzzle. People often do not engage in the training, and even when they do, they don’t have great information retention.

“Training is just another thing to put on the to-do list that’s not billable,” Oksenhendler points out.

People know about phishing. They know how much damage these attacks can cause. But they are busy managing their own workloads. Training as it exists today is something that they can either ignore or rush through to check off their list. Imagine all the employees inundated with their own work and relentless phishing attacks. All it takes is one distracted click.

“Cyber training fatigue continues to exist,” says Chiranjeev “CJ” Bordoloi, director and cofounder of the National Cybersecurity Society (NCSS). “When you have fatigue, that usually leads to apathy.”

How security leaders can rethink phishing training

If training was lagging before, it risks falling even further behind as threats evolve. Phishing is only getting better with generative AI in the mix. Security leaders have their work cut out for them. Training needs to evolve, and it is just one piece in a much bigger, cultural puzzle.

“If the C-suite and leadership are not security culture-minded, then it’s not going to be a problem until they’re on the cover of the Washington Post or they have to pay a massive fine to somebody,” says Oksenhendler.

Taking any element of cybersecurity, training or otherwise, from a check-the-box approach to an integrated cultural value is a significant lift. Getting better at stopping phishing attacks isn’t just about getting more dollars and buy-in at the top. It is also about changing the behavior of individual users, which is arguably more difficult.

“User behavior is not technical at all. User behavior is prehistoric,” says Bordoloi. “You can’t really change user behavior with one training session.”

Ilany-Tzur conducted a study that offers insight into user behavior and their vulnerability to phishing attacks. This research reveals that the type of device plays a role in user behavior; PC users are more likely to make risky clicking choices than mobile users. Understanding how user behavior varies across different devices could help security leaders make more nuanced decisions regarding training and other phishing protection measures.

Right now, there is no one answer that unlocks the door to the most effective phishing training program. But the experts are looking. Ilany-Tzur is interested in a behavioral perspective. “A key interesting question is: What is the exact psychological mechanism, the design of the alternative, that will encourage people to avoid those risks?” she asks.

She points to System 1 and System 2 models of the thinking described by psychologist Daniel Kahneman, the former referring to automatic and emotional thinking and the latter rational, considered thinking. “It’s about this automatic mindset and System 1 behavior,” says Ilany-Tzur. “How can we train users automatic reactions to be the right ones (i.e., not clicking that suspicious link)?”

The answer to that question is an open-ended one. Ilany-Tzur argues that users need to learn an easy set of behaviors they can rely on following an attempted phishing attack. “What should I do in this at this point? Who should I contact? What is the hotline to report it? What is the behavior?” she says. “I’m aware of the risk, but what are my easy go-to actions to deal with an attack?”

Rewriting human behavior is a huge mountain to scale. Security leaders don’t need to grab their climbing gear, but that doesn’t mean they should toss up their hands and take the attitude of some training, even if it isn’t working, is better than nothing.

Phishing training can change; there are indications that gamification of security training increases user engagement. Enterprises can make that training more interactive and sweeten the deal with incentives. “You can reward people with something as small as a gift card,” says Bordoloi. “If there’s a major attack that’s defended against, you can even reward teams with an offsite or something fun.”

On the other side of that, there is the possibility of instituting penalties for repeat failure to complete or pass phishing training. While the carrot-and-stick approach has its appeal, it is also important for security leaders to recognize the value of their training approaches. It doesn’t make much sense to punish or reward people for engaging with a training program that isn’t even effective in the first place.

Is a training program meeting people where they are at? Does it cater to different styles of learning? Does it consider the proliferation of work-from-home and hybrid employment models?

The work does not stop when the training is done

The ultimate question, is my phishing training program working, should have an actual answer or at least there should be an effort to answer it. There are metrics to look at. Are people completing the training? How many people are falling? Are the same people failing repeatedly? How many real-world phishing attempts has an organization successfully stopped, or not?

Understanding what works and what doesn’t for these training programs is an ongoing process, and one that appears to need a big overhaul.

“It’s going to take an outside-the-box approach. Blow up the norm, and come up with something that’s creative, that meets people where they are, that is not a slog,” says Oksenhendler. “But it also [should] drive home that we’re serious about security, so you need to be serious about security.”

Training can always get better, but it is never going to be enough when humans, as all security leaders know, are the most vulnerable target for cyberattacks. And even the best training methods cannot stand alone.

“Phishing training, by and large, is not a very effective way to reduce an organization’s susceptibility to attacks,” says Ho. “Deploy other measures, for example, two-factor authentication or phishing detection, to really protect your organization against these attacks.”