Study Proves It: Security Awareness Training Reduces Phishing Attacks

  • By
  • Jul 16, 2024

Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches. 

Human behavior is the root cause of human-generated risks. Human behavior is difficult to gauge or tame because we are influenced and triggered by emotions (anger, fear, lust, curiosity, greed), our biases, our lack of knowledge, understanding, and disregard for security risks. Adversaries exploit these flaws frequently in their phishing and social engineering attacks. The good news is that researchers at KnowBe4 found a direct link between cybersecurity training and a reduction in successful phishing scams.

Overview of Phish-Prone Percentage Findings
KnowBe4 conducted a major phishing benchmarking study that analyzed and compared the phish-prone percentages of 11.9 million users from 55,675 organizations. A phish-prone percentage (PPP) is a measurement of the percentage of individuals likely to interact with a phishing email by clicking on a malicious link or downloading a malicious file. The study examined the results of 54 million simulated phishing tests on nearly 12 million users. 

KnowBe4 conducted this research over three phases of testing. In the first phase or Phase One, a baseline test was done on organizations that had never conducted security awareness training. In Phase Two, security tests were conducted again after organizations subjected their users to 90 days of simulated phishing training. Next, after one year of repeated and rigorous phishing simulation training, Phase Three testing was implemented to assess if there were any material differences in PPP. Here are the results:

  • The average phish-prone rate in Phase One across all industries and organizations was 34.3%. In other words, an average of 34.3% of users clicked or interacted with an unsafe email.
  • After 90 days of regular simulation training (Phase Two), Knowbe4 noticed a significant drop in the average PPP, bringing it down to 18.9%, which is almost a 50% reduction in the average PPP from Phase One.
  • In Phase Three (after a year of ongoing training), Knowbe4 found that PPP had improved vastly, from an average of 34.3% in Phase One to an average of just 4.6% in Phase Three. 
  • Across all organizations, industries and territories, the average improvement in PPP observed was 86%. In both small and mid-sized organizations, PPP improved by 85% on average, while in large organizations PPP improved by 87%. 
  • For North American organizations specifically, the average Phase One PPP across all organizations was 35.1%, while in Phase Three the average PPP decreased to 4.5%. Again, a massive reduction in phishing susceptibility.

Key Takeaways for Businesses

The results from the PPP study point to three important conclusions:

1) Without continuous security training, organizations are at heightened risk. At an average 34.3% PPP, nearly a third of the workforce can fall prey to a phishing attack. Thus, it is critical that organizations develop programs and practices that remind and reinforce employees of the need to stay vigilant and secure.

2) Organizations can reduce human-based risks in three months. As the study revealed, if organizations run phishing simulation exercises on their workforce for just three months, they can greatly reduce their phishing susceptibility and improve the organization’s last line of defense, known as the human firewall.

3) A metrics-driven approach can bring about targeted change: Along with technical metrics, security leaders must also consider human-risk metrics like PPP when determining the overall cybersecurity strategy. Such metrics can also be used to demonstrate progress, explain security gaps and secure buy-in and investment from leadership. 

Mitigating phishing risk is not a complex or challenging endeavor. In truth, it is one of the few areas in cyber where a non-technical security approach applied consistently among users will inevitably and substantially reduce the attack surface well beyond expectations. With the right commitment to training, employing a combination of simulation exercises, individual coaching and classroom training, organizations can significantly mitigate phishing attacks, minimize human error, and largely boost the security posture.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West

  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events
Most   Popular

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.