A recent study presented at the USENIX SOUPS security conference has confirmed what many security experts have suspected for years: phishing awareness training wears off quickly. Academics from multiple German universities leveraged laws mandating phishing awareness training to study how effective that training truly is. The researchers tested a group of public sector employees at different intervals after phishing training to determine how long the training was effective. The tested employees were broken into multiple groups which were tested at four, six, eight, ten, and twelve-month intervals. The researchers saw satisfactory results from the employees tested four months after their phishing training. These results dropped dramatically at the six-month test and continued to decline after that time. The team also tested the effectiveness of training reminders and found that employees who received video reminders of their training or interactive reminders retained their training best when compared to those who received simple text reminders.

ANALYST NOTES

This research study served to solidify what many in information security have worked hard to make others understand: security training must be an ongoing effort. When security awareness training is treated as a “box to check” for compliance it is rarely enough. It is important to find engaging means by which to educate employees on the immeasurably valuable role they play in every organization’s security. Many attackers gain their initial foothold into a network through phishing campaigns. Regular and effective training for employees on how to recognize a phishing email goes a long way towards securing an organization. Even if only a few alert employees quickly alert security personnel when they spot a phishing attack, the security staff can leverage that notification to find all the other employees who were targeted by the campaign and mitigate any compromised accounts or workstations quickly. Based on the results of this most recent study, phishing training will be most effective for an organization if done every six months through engaging and interactive means and when followed up with interactive reminders. More information on this topic can be found at https://www.zdnet.com/article/phishing-awareness-training-wears-off-after-a-few-months/