It isn’t very effective, apparently.
To measure the effectiveness of different methods of cybersecurity training, the authors [of a study] divided employees into four groups. After each attack, each group received a different training method: one received generic tips about avoiding phishing attacks, a second received an interactive Q&A on cybersecurity, a third was informed about the specific methods used in the most recent attack, and the fourth received an interactive Q&A that also included details about the most recent attack. A fifth group was also created, and the employees in that group received no training.
The authors found that on average, employees who received training of any sort had only a 1.7% lower failure rate than employees who had no training.
The authors’ solution?
The study’s takeaway for organizations, says [lead author Grant] Ho, is to rely on measures other than training, like phishing-detection software that automatically eliminates the need for employees to detect phishing attacks.
Software aids are important in this milieu, but the weak link remains the human. Software aids by themselves are insufficient.
There needs to be more to the training than just a slide presentation and some lectures, or in the present case, “interactive” Q&As. The training sessions need to be plussed up, a lot, but that can’t be the end of it. Schools and responsible companies run fire drills that run to completion with evacuation of the building and head counts and roll calls while the evacuees are gathered up at their assigned evacuation points. So it must be with cybersecurity training. Simulated cyber attacks (phishing, social engineering, etc) attacks should be run against a rotating collection of employees to test their training and their responses to the attacks. Those simulations should be run some weeks after the training and more frequently than those fire drills, and they should not use IT-ginned up attacks, either; they should use serious real-world attacks, altered only to get them targeted to the collection of employees being tested.
Beyond that, there needs to be teeth attached to the training and to employees’ failure to take the training seriously.
There are three outcomes from this. One is an empirical assessment of the quality of training, its durability, and identification of weaknesses in the training program, which then can be corrected (not given up on). A second results from those teeth: once management is satisfied with the training quality, employees still falling for the attacks should be terminated. They’re too great a risk to the company.
The third outcome is a very great increase in the cyber safety of the company and of its employees (with a follow-on: those employees will be better able to maintain security in their homes’ cyber environment). The added training and testing will incur costs to the company, but the risk of the far greater cost of a cyber breach—both direct and indirect through liability—is too great to ignore.