Study Proves It: Security Awareness Training Reduces Phishing Attacks

  • By
  • Jul 16, 2024

Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches. 

Human behavior is the root cause of human-generated risks. Human behavior is difficult to gauge or tame because we are influenced and triggered by emotions (anger, fear, lust, curiosity, greed), our biases, our lack of knowledge, understanding, and disregard for security risks. Adversaries exploit these flaws frequently in their phishing and social engineering attacks. The good news is that researchers at KnowBe4 found a direct link between cybersecurity training and a reduction in successful phishing scams.

Overview of Phish-Prone Percentage Findings
KnowBe4 conducted a major phishing benchmarking study that analyzed and compared the phish-prone percentages of 11.9 million users from 55,675 organizations. A phish-prone percentage (PPP) is a measurement of the percentage of individuals likely to interact with a phishing email by clicking on a malicious link or downloading a malicious file. The study examined the results of 54 million simulated phishing tests on nearly 12 million users. 

KnowBe4 conducted this research over three phases of testing. In the first phase or Phase One, a baseline test was done on organizations that had never conducted security awareness training. In Phase Two, security tests were conducted again after organizations subjected their users to 90 days of simulated phishing training. Next, after one year of repeated and rigorous phishing simulation training, Phase Three testing was implemented to assess if there were any material differences in PPP. Here are the results:

  • The average phish-prone rate in Phase One across all industries and organizations was 34.3%. In other words, an average of 34.3% of users clicked or interacted with an unsafe email.
  • After 90 days of regular simulation training (Phase Two), Knowbe4 noticed a significant drop in the average PPP, bringing it down to 18.9%, which is almost a 50% reduction in the average PPP from Phase One.
  • In Phase Three (after a year of ongoing training), Knowbe4 found that PPP had improved vastly, from an average of 34.3% in Phase One to an average of just 4.6% in Phase Three. 
  • Across all organizations, industries and territories, the average improvement in PPP observed was 86%. In both small and mid-sized organizations, PPP improved by 85% on average, while in large organizations PPP improved by 87%. 
  • For North American organizations specifically, the average Phase One PPP across all organizations was 35.1%, while in Phase Three the average PPP decreased to 4.5%. Again, a massive reduction in phishing susceptibility.

Key Takeaways for Businesses

The results from the PPP study point to three important conclusions:

1) Without continuous security training, organizations are at heightened risk. At an average 34.3% PPP, nearly a third of the workforce can fall prey to a phishing attack. Thus, it is critical that organizations develop programs and practices that remind and reinforce employees of the need to stay vigilant and secure.

2) Organizations can reduce human-based risks in three months. As the study revealed, if organizations run phishing simulation exercises on their workforce for just three months, they can greatly reduce their phishing susceptibility and improve the organization’s last line of defense, known as the human firewall.

3) A metrics-driven approach can bring about targeted change: Along with technical metrics, security leaders must also consider human-risk metrics like PPP when determining the overall cybersecurity strategy. Such metrics can also be used to demonstrate progress, explain security gaps and secure buy-in and investment from leadership. 

Mitigating phishing risk is not a complex or challenging endeavor. In truth, it is one of the few areas in cyber where a non-technical security approach applied consistently among users will inevitably and substantially reduce the attack surface well beyond expectations. With the right commitment to training, employing a combination of simulation exercises, individual coaching and classroom training, organizations can significantly mitigate phishing attacks, minimize human error, and largely boost the security posture.

Featured

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

Most   Popular

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.