Security training has little effect on reducing human error
Traditional techniques such as security awareness training and phishing simulations have a limited impact on improving employees' real-world cybersecurity practices according to a new report.
The study, prepared by the Cyentia Institute, uses aggregated data from 114,000 Elevate Security Platform users for the last three years, examining malware, phishing, email security and other real world attack data.
It finds that while security training results in slightly lower phishing simulation click rates among users, it has no significant effect at the organizational level or in real-world attacks. What's more, an increase in simulations and training can be counterproductive, with the report finding that users with five or more training sessions are actually more likely to click on a phishing link than those with little or no training. 11.2 percent of users who had only one training session clicked on a phishing link, whereas 14.2 percent of those who had five training sessions clicked on the link.
"With nearly two-thirds of data breaches tied to human risk, we sought to truly understand the root cause -- human error, which has long been considered one of cybersecurity's longest unsolved problems," says Masha Sedova, co-founder and chief product officer of Elevate Security. "The data found conclusively that traditional security awareness training and mock phishing exercises have little effect on protecting the organization. These one-size-fits-all programs fulfill compliance and audit purposes but aren't doing a good job at actually reducing risk."
While it seems that training and simulation can have a limited effect on the risky behavior of individual users, and there is no significant change in risk exposure at the organization level. Phishing simulations, for example, result in only six percent result of users getting hooked. Across multiple simulations, those encouraging signs begin to wane as 40 percent of users fall for the phish and two-thirds of departments get duped.
Interestingly users with active password managers are 19 times less likely to download or execute malware than those without them. It could be that good behavior in one area leads to good behavior elsewhere. Also, those at the top of the organization chart are more likely to have password managers, with almost 30 percent of managers using them compared to 20 percent of employees.
The full report is available on the Elevate security site.