Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: Phishing Training Is Pretty Pointless, Researchers Find

Link: https://it.slashdot.org/story/25/08/17/013425...

"Phishing training for employees as currently practiced is essentially
useless," writes SC World, citing the presentation of two researchers at the
Black Hat security conference: In a scientific study involving thousands of
test subjects, eight months and four different kinds of phishing training,
the average improvement rate of falling for phishing scams was a whopping
1.7%. "Is all of this focus on training worth the outcome?" asked researcher
Ariana Mirian, a senior security researcher at Censys and recently a Ph.D.
student at U.C. San Diego, where the study was conducted. "Training barely
works..." [Research partner Christian Dameff, co-director of the U.C. San
Diego Center for Healthcare Cybersecurity] and Mirian wanted scientifically
rigorous, real-world results. (You can read their academic paper here.) They
enrolled more than 19,000 employees of the UCSD Health system and randomly
split them into five groups, each member of which would see something
different when they failed a phishing test randomly sent once a month to
their workplace email accounts... Over the eight months of testing, however,
there was little difference in improvement among the four groups that
received different kinds of training. Those groups did improve a bit over the
control group's performance - by the aforementioned 1.7%... [A]bout 30% of
users clicked on a link promising information about a change in the
organization's vacation policy. Almost as many fell for one about a change in
workplace dress code... Another lesson was that given enough time, almost
everyone falls for a phishing email. Over the eight months of the experiment,
just over 50% failed at least once. Thanks to Slashdot reader spatwei for
sharing the article.

Read more of this story at Slashdot.

---
VRSS v2.1.180528