Study Proves It: Security Awareness Training Reduces Phishing Attacks

  • By Stu Sjouwerman
  • Jul 16, 2024

Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches. 

Human behavior is the root cause of human-generated risks. Human behavior is difficult to gauge or tame because we are influenced and triggered by emotions (anger, fear, lust, curiosity, greed), our biases, our lack of knowledge, understanding, and disregard for security risks. Adversaries exploit these flaws frequently in their phishing and social engineering attacks. The good news is that researchers at KnowBe4 found a direct link between cybersecurity training and a reduction in successful phishing scams.

Overview of Phish-Prone Percentage Findings
KnowBe4 conducted a major phishing benchmarking study that analyzed and compared the phish-prone percentages of 11.9 million users from 55,675 organizations. A phish-prone percentage (PPP) is a measurement of the percentage of individuals likely to interact with a phishing email by clicking on a malicious link or downloading a malicious file. The study examined the results of 54 million simulated phishing tests on nearly 12 million users. 

KnowBe4 conducted this research over three phases of testing. In the first phase or Phase One, a baseline test was done on organizations that had never conducted security awareness training. In Phase Two, security tests were conducted again after organizations subjected their users to 90 days of simulated phishing training. Next, after one year of repeated and rigorous phishing simulation training, Phase Three testing was implemented to assess if there were any material differences in PPP. Here are the results:

  • The average phish-prone rate in Phase One across all industries and organizations was 34.3%. In other words, an average of 34.3% of users clicked or interacted with an unsafe email.
  • After 90 days of regular simulation training (Phase Two), Knowbe4 noticed a significant drop in the average PPP, bringing it down to 18.9%, which is almost a 50% reduction in the average PPP from Phase One.
  • In Phase Three (after a year of ongoing training), Knowbe4 found that PPP had improved vastly, from an average of 34.3% in Phase One to an average of just 4.6% in Phase Three. 
  • Across all organizations, industries and territories, the average improvement in PPP observed was 86%. In both small and mid-sized organizations, PPP improved by 85% on average, while in large organizations PPP improved by 87%. 
  • For North American organizations specifically, the average Phase One PPP across all organizations was 35.1%, while in Phase Three the average PPP decreased to 4.5%. Again, a massive reduction in phishing susceptibility.

Key Takeaways for Businesses

The results from the PPP study point to three important conclusions:

1) Without continuous security training, organizations are at heightened risk. At an average 34.3% PPP, nearly a third of the workforce can fall prey to a phishing attack. Thus, it is critical that organizations develop programs and practices that remind and reinforce employees of the need to stay vigilant and secure.

2) Organizations can reduce human-based risks in three months. As the study revealed, if organizations run phishing simulation exercises on their workforce for just three months, they can greatly reduce their phishing susceptibility and improve the organization’s last line of defense, known as the human firewall.

3) A metrics-driven approach can bring about targeted change: Along with technical metrics, security leaders must also consider human-risk metrics like PPP when determining the overall cybersecurity strategy. Such metrics can also be used to demonstrate progress, explain security gaps and secure buy-in and investment from leadership. 

Mitigating phishing risk is not a complex or challenging endeavor. In truth, it is one of the few areas in cyber where a non-technical security approach applied consistently among users will inevitably and substantially reduce the attack surface well beyond expectations. With the right commitment to training, employing a combination of simulation exercises, individual coaching and classroom training, organizations can significantly mitigate phishing attacks, minimize human error, and largely boost the security posture.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Most   Popular

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3