Editor’s Note: A research paper published this week by UC San Diego, UC San Diego Health, and the University of Chicago categorically determined that cybersecurity awareness and anti-phishing training offers limited value.Based on an eight-month study that included 10 simulated phishing campaigns to more than 19,500 employees at a large health organization, the researchers disclosed three major findings:Given that the researchers confronted security awareness training companies head-on, SC Media asked Roger Grimes, data-driven defense evangelist at KnowBe4 to respond. Yesterday, Grimes sent back the following email:Grimes: Those of us at KnowBe4 have written on this topic many times.In short, these types of claims are from limited, sub-optimal studies, never running security awareness campaigns the way we recommend that they be performed. At KnowBe4, we have a data set of more than 60 million individual experiences over 70,000 company customers collected over 10 years to show that security awareness training and simulated phishing not only work to reduce human cybersecurity risk, but are one of the single best things companies can do. While 4 out of 10 companies have a data breach each year, less than 3% of our customers have ever had a data breach while being our customer.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Common claims in articles like this include the following:Grimes: We don't see that in any of our customers who do the recommended training and simulated phishing test frequency of at least once a month. And no one has more data, customers, and their experiences to prove that security awareness training works. Just talk to our customers.Grimes: Yes, but training and simulated phishing for sure help to reduce the number of people and percentage of people who click on bad links, from more than 30% for our new customers to under 5%. That's real risk reduction. No other cyber defense company is asked to be so perfect. For example, no company perfectly patches. Mandiant says vulnerabilities are involved in 33% of attacks, but that doesn't mean we don't recommend patching. Grimes: If those technical controls blocked users from getting socially engineered, we would agree. However, social engineering causes 70%-90% of all data breaches and that's only after it got by every technical defense thrown in its path to prevent it from getting to the end user. Until technical controls perfectly prevent social engineering from getting to users, it's probably best to train our users how to recognize and how to mitigate and report it.I work for a human risk management company...and I certainly have a bias. So, please speak to any company with a formal security awareness training program and ask if they think it delivers value. Almost all will say it does.I was at Black Hat earlier this month at a presentation that claimed training doesn't work. The speaker asked the audience to raise their hand if they thought security awareness training worked. Roughly 90% of the hands went up agreeing that it worked and offered value.The presenter then went on to give the presentation, saying it didn't in his limited sample. Lots of people just kept walking out of the talk...because they have their own real-world experiences and evidence that the training does in fact work. Roger Grimes, data-driven defense evangelist, KnowBe4SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- They found no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation.
- When evaluating recipients of embedded phishing training, the researchers found that the difference in failure rates between trained and untrained users is extremely low.
- Users who receive and complete more instances of a training session can have an increased likelihood of failing subsequent phishing simulations.
- Training is ineffective because the training in the limited test for a short period of time didn't make users less likely to click on additional simulated phishing tests.
- Training doesn't work because some percentage of people will always click on a phishing email or test.
- These types of articles always end by recommending stronger technical controls to block social engineering instead of training.
