Study Proves It: Security Awareness Training Reduces Phishing Attacks

Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches. 

Human behavior is the root cause of human-generated risks. Human behavior is difficult to gauge or tame because we are influenced and triggered by emotions (anger, fear, lust, curiosity, greed), our biases, our lack of knowledge, understanding, and disregard for security risks. Adversaries exploit these flaws frequently in their phishing and social engineering attacks. The good news is that researchers at KnowBe4 found a direct link between cybersecurity training and a reduction in successful phishing scams.

Overview of Phish-Prone Percentage Findings
KnowBe4 conducted a major phishing benchmarking study that analyzed and compared the phish-prone percentages of 11.9 million users from 55,675 organizations. A phish-prone percentage (PPP) is a measurement of the percentage of individuals likely to interact with a phishing email by clicking on a malicious link or downloading a malicious file. The study examined the results of 54 million simulated phishing tests on nearly 12 million users. 

KnowBe4 conducted this research over three phases of testing. In the first phase or Phase One, a baseline test was done on organizations that had never conducted security awareness training. In Phase Two, security tests were conducted again after organizations subjected their users to 90 days of simulated phishing training. Next, after one year of repeated and rigorous phishing simulation training, Phase Three testing was implemented to assess if there were any material differences in PPP. Here are the results:

  • The average phish-prone rate in Phase One across all industries and organizations was 34.3%. In other words, an average of 34.3% of users clicked or interacted with an unsafe email.
  • After 90 days of regular simulation training (Phase Two), Knowbe4 noticed a significant drop in the average PPP, bringing it down to 18.9%, which is almost a 50% reduction in the average PPP from Phase One.
  • In Phase Three (after a year of ongoing training), Knowbe4 found that PPP had improved vastly, from an average of 34.3% in Phase One to an average of just 4.6% in Phase Three. 
  • Across all organizations, industries and territories, the average improvement in PPP observed was 86%. In both small and mid-sized organizations, PPP improved by 85% on average, while in large organizations PPP improved by 87%. 
  • For North American organizations specifically, the average Phase One PPP across all organizations was 35.1%, while in Phase Three the average PPP decreased to 4.5%. Again, a massive reduction in phishing susceptibility.

Key Takeaways for Businesses

The results from the PPP study point to three important conclusions:

1) Without continuous security training, organizations are at heightened risk. At an average 34.3% PPP, nearly a third of the workforce can fall prey to a phishing attack. Thus, it is critical that organizations develop programs and practices that remind and reinforce employees of the need to stay vigilant and secure.

2) Organizations can reduce human-based risks in three months. As the study revealed, if organizations run phishing simulation exercises on their workforce for just three months, they can greatly reduce their phishing susceptibility and improve the organization’s last line of defense, known as the human firewall.

3) A metrics-driven approach can bring about targeted change: Along with technical metrics, security leaders must also consider human-risk metrics like PPP when determining the overall cybersecurity strategy. Such metrics can also be used to demonstrate progress, explain security gaps and secure buy-in and investment from leadership. 

Mitigating phishing risk is not a complex or challenging endeavor. In truth, it is one of the few areas in cyber where a non-technical security approach applied consistently among users will inevitably and substantially reduce the attack surface well beyond expectations. With the right commitment to training, employing a combination of simulation exercises, individual coaching and classroom training, organizations can significantly mitigate phishing attacks, minimize human error, and largely boost the security posture.

Featured

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.