Phishing Training Is Pretty Pointless, Researchers Find

'Phishing training for employees as currently practiced is essentially useless,' writes SC World, citing the presentation of two researchers at the Black Hat security conference:

In a scientific study involving thousands of test subjects, eight months and four different kinds of phishing training, the average improvement rate of falling for phishing scams was a whopping 1.7%. 'Is all of this focus on training worth the outcome?' asked researcher Ariana Mirian, a senior security researcher at Censys and recently a Ph.D. student at U.C. San Diego, where the study was conducted. 'Training barely works...'

[Research partner Christian Dameff, co-director of the U.C. San Diego Center for Healthcare Cybersecurity] and Mirian wanted scientifically rigorous, real-world results. (You can read their academic paper here.) They enrolled more than 19,000 employees of the UCSD Health system and randomly split them into five groups, each member of which would see something different when they failed a phishing test randomly sent once a month to their workplace email accounts... Over the eight months of testing, however, there was little difference in improvement among the four groups that received different kinds of training. Those groups did improve a bit over the control group's performance — by the aforementioned 1.7%...

[A]bout 30% of users clicked on a link promising information about a change in the organization's vacation policy. Almost as many fell for one about a change in workplace dress code... Another lesson was that given enough time, almost everyone falls for a phishing email. Over the eight months of the experiment, just over 50% failed at least once.
Thanks to Slashdot reader spatwei for sharing the article.

Read more of this story at Slashdot.