Study Proves It: Security Awareness Training Reduces Phishing Attacks

  • By Stu Sjouwerman
  • Jul 16, 2024

Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches. 

Human behavior is the root cause of human-generated risks. Human behavior is difficult to gauge or tame because we are influenced and triggered by emotions (anger, fear, lust, curiosity, greed), our biases, our lack of knowledge, understanding, and disregard for security risks. Adversaries exploit these flaws frequently in their phishing and social engineering attacks. The good news is that researchers at KnowBe4 found a direct link between cybersecurity training and a reduction in successful phishing scams.

Overview of Phish-Prone Percentage Findings
KnowBe4 conducted a major phishing benchmarking study that analyzed and compared the phish-prone percentages of 11.9 million users from 55,675 organizations. A phish-prone percentage (PPP) is a measurement of the percentage of individuals likely to interact with a phishing email by clicking on a malicious link or downloading a malicious file. The study examined the results of 54 million simulated phishing tests on nearly 12 million users. 

KnowBe4 conducted this research over three phases of testing. In the first phase or Phase One, a baseline test was done on organizations that had never conducted security awareness training. In Phase Two, security tests were conducted again after organizations subjected their users to 90 days of simulated phishing training. Next, after one year of repeated and rigorous phishing simulation training, Phase Three testing was implemented to assess if there were any material differences in PPP. Here are the results:

  • The average phish-prone rate in Phase One across all industries and organizations was 34.3%. In other words, an average of 34.3% of users clicked or interacted with an unsafe email.
  • After 90 days of regular simulation training (Phase Two), Knowbe4 noticed a significant drop in the average PPP, bringing it down to 18.9%, which is almost a 50% reduction in the average PPP from Phase One.
  • In Phase Three (after a year of ongoing training), Knowbe4 found that PPP had improved vastly, from an average of 34.3% in Phase One to an average of just 4.6% in Phase Three. 
  • Across all organizations, industries and territories, the average improvement in PPP observed was 86%. In both small and mid-sized organizations, PPP improved by 85% on average, while in large organizations PPP improved by 87%. 
  • For North American organizations specifically, the average Phase One PPP across all organizations was 35.1%, while in Phase Three the average PPP decreased to 4.5%. Again, a massive reduction in phishing susceptibility.

Key Takeaways for Businesses

The results from the PPP study point to three important conclusions:

1) Without continuous security training, organizations are at heightened risk. At an average 34.3% PPP, nearly a third of the workforce can fall prey to a phishing attack. Thus, it is critical that organizations develop programs and practices that remind and reinforce employees of the need to stay vigilant and secure.

2) Organizations can reduce human-based risks in three months. As the study revealed, if organizations run phishing simulation exercises on their workforce for just three months, they can greatly reduce their phishing susceptibility and improve the organization’s last line of defense, known as the human firewall.

3) A metrics-driven approach can bring about targeted change: Along with technical metrics, security leaders must also consider human-risk metrics like PPP when determining the overall cybersecurity strategy. Such metrics can also be used to demonstrate progress, explain security gaps and secure buy-in and investment from leadership. 

Mitigating phishing risk is not a complex or challenging endeavor. In truth, it is one of the few areas in cyber where a non-technical security approach applied consistently among users will inevitably and substantially reduce the attack surface well beyond expectations. With the right commitment to training, employing a combination of simulation exercises, individual coaching and classroom training, organizations can significantly mitigate phishing attacks, minimize human error, and largely boost the security posture.

Featured

  • It Always Rains in Florida

    Over the years, and many trips to various cities, I have experienced some of the craziest memorable things. One thing I always count on when going to Orlando is a massive rainstorm after the tradeshow has concluded the first day. Count on it, it is going to rain Monday evening. Expect that it will be a gully washer. Read Now

    • Industry Events

  • Live from GSX 2024 Preview

    It’s hard to believe, but GSX 2024 is almost here. This year’s show runs from Monday, September 23 to Wednesday, September 25 at the Orange County Convention Center in Orlando, Fla. The Campus Security Today and Security Today staff will be on hand to provide live updates about the security industry’s latest innovations, trends, and products. Whether you’re attending the show or keeping tabs on it from afar, we’ve got you covered. Make sure to follow the Live from GSX page for photos, videos, interviews, product demonstrations, announcements, commentary, and more from the heart of the show floor! Read Now

    • Industry Events

  • Elevate Your Business

    In today’s dynamic business environment, companies specializing in physical security are constantly evolving to remain competitive. One strategic shift these businesses can make to give them the advantage is a full or partial transition to a recurring revenue model, popularly called a subscription service. This approach will bring numerous benefits that not only enhance business stability but also improve customer relationships and drive innovation. Recurring monthly revenue (RMR) or recurring annual revenue (RAR) are two recurring cadence choices that work simply and effectively. Read Now

  • Playing a Crucial Role

    Physical security technology plays a crucial role in detecting and preventing insider cybersecurity threats. While it might seem like a stretch to connect physical security with cyber threats, the two are closely intertwined. Here’s how physical security technology can be leveraged to address both external and internal threats. Read Now

Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3