Employees working on computer taking part in phishing awareness training

Phishing Awareness Training is Far From Permanent; New Study Shows the Effects Last Only a Few Months

Cybersecurity professionals always stress awareness as a critical component of security readiness, suggesting that all of an organization’s employees be provided with regular reminders and even occasional simulated training scenarios. But how well do these efforts “stick” with the average employee who is not particularly technically inclined? According to a new study, it looks like phishing awareness training needs to be repeated at least once every six months to avoid having the effects of it wear off.

Testing phishing awareness training retention

Entitled “An investigation of phishing awareness and education over time: When and how to best remind users,” the study was published by USENIX at the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), and was conducted by a team of researchers from several German universities. The researchers surveyed 409 employees of the German State Office for Geoinformation and State Survey (SOGSS), a government agency that requires staff to go through periodic phishing awareness training. Prior research had established that there is a definite boost to awareness immediately after training and that it peters out over time, but had not established firm time intervals at which decay of these skills can be expected.

The study lasted for one year as the SOGSS employees were broken up into groups after receiving their annual phishing awareness training. The employees were asked to identify a series of potentially malicious emails at certain intervals, ranging from 4 to 12 months from receiving the standard phishing awareness training. While rates of recognition were high at the initial four-month interval, after six months employees were clearly beginning to forget what they had learned.

The phishing awareness training opened with an introduction to the topic, which included threat statistics specific to the organization and an explanation of common vectors (such as emails with phishing links leading to bogus look-alike sites). Vulnerabilities specific to the organization were demonstrated via anonymized versions of prior incidents. Employees were then educated on the risks of weak passwords and given advice on selecting strong ones. Finally, the training concluded with a short interactive quiz that had participants craft a strong password.

The training also stuck to the risk vectors that were most pertinent to the organization. While the possibility of phishing attempts made by direct messages and alternate methods was mentioned, the phishing awareness training focused heavily on email security as SOGSS employees are generally not issued mobile devices and policies restrict the use of social media on work computers.

The study excluded about 30 participants that either simply marked every email in the quiz as a phishing email or were observed going to an outside source for help.

Javvad Malik, Security Awareness Advocate for KnowBe4, commented on why one must anticipate that boosts to awareness via training will inevitably decay: “People are very quick to fall into old habits, and so, constant reminders or nudges are very important. A parallel can be drawn to exercise, a person that walks for an hour every day will be more healthy than someone who walks for 18 hours in a day once a year … In many cases, it’s not that people aren’t aware of threats, it’s more a matter of ‘out of sight, out of mind’ – so having little but frequent reminders helps to keep threats at the forefront and remain more vigilant.”

What training works best?

The study also tested the effectiveness of four different types of periodic reminders: a short text, a longer message, a video and interactive examples. The video and interactive examples proved to be the most effective.

The researchers stress the importance of these reminders matching the original material (not introducing any new content unless it builds on previously-learned knowledge) and standing on their own without requiring the recipient to look up additional material. The video measure essentially transposed a simple list of points to a visual explanation with narration, while the interactive measure displayed two examples of phishing emails with marked hotspots that the user could hover over for more information.

The study finds that mandatory reminders about phishing and social engineering attacks should be sent out every four months, as after that point substantial decline is seen (and after six months many employees will have lost what they learned almost entirely).

The quiz that employees were subjected to consisted of screenshots of 10 potential phishing emails, asking the user to identify those that were malicious. This was done by evaluating both the HTTP link seen in the screenshot (spotting oddities such as typos or extensions in normal domain names) and the plausibility of the content of the email body. In the case of evaluating email content, employees were presented with something implausible like an unrealistic job proposal or an out-of-nowhere offer of an absurd amount of money. Some phishing threats also presented an attachment that could be identified as potentially malicious.

The researchers also addressed the issue of which approach would more effectively prevent phishing attacks: having a regularly scheduled training that is clear in its nature, or periodically sending out simulated phishing emails without the employees being aware of them. The latter approach has received some criticism lately after being employed by major newspaper publisher Tribune Publishing, who sent fake phishing emails promising annual bonuses to employees that had just suffered a round of layoffs and pay cuts and were embroiled in an active conflict with management over these financial decisions. The researchers did not broach the issue of sensitivity and appropriateness of conducting such a test, but rejected the phishing simulation approach as having too many potential issues with timeliness and data collection quality.

Organizational defenses still clearly require more than just phishing awareness training at optimal intervals, however, as the employee training and reminders only boosted correct phishing email detection rates from about 62% to about 80%. Given that it only takes one email to lay a network low, both active scanning and “backstop” threat intelligence measures remain an additional necessity.