How Fast Does Phishing Awareness Training Wear Off? New Research Says 6 Months

By:  |  Category: Blog Thursday, September 24th, 2020  |  No Comments

If you don’t use it, you lose it, right? In the case of cybersecurity awareness training, this is now proven true.

A paper titled “An investigation of phishing awareness and education over time: When and how to best remind users” presented at the USENIX SOUPS security conference last month analyzed “the effectiveness of phishing training in time.”

The findings suggested employees need to be re-trained around six months because security and phishing awareness programs begin to wear off in time.

Understandably, if a user isn’t presented with a problem, the training they receive for that specific problem has no use and eventually fades.

The study surveyed 409 of 2,200 employees of the State Office for Geoinformation and State Survey (SOGSS) in the German public administration sector, because that “sector must go through mandatory phishing awareness training programs.

The effectiveness of phishing training over time, with tests at regular intervals, would “determine when SOGSS employees would lose their ability to detect phishing emails.” Split into groups, employees were given proper cybersecurity training and then tested respectively at 4,6,10 and 12 months. 

“The research team found that while the survey takers were able to correctly identify phishing emails even after four months following the initial training, this was not the case after six months and beyond, with a new training being recommended.”

The research team also developed “reminders” that meant to “replenish the employees’ phishing awareness and knowledge,” after they had received training. They created four separate reminders and sent them to four separate groups: text, video, interactive examples, and short text.

Employees who had received video and interactive examples, retained the training information best “with their impact lasting at least six months after being rolled-out.”

The conclusion is, that although security and phishing detection training is pertinent to helping organizations fight off cyber-attacks, the training needs to be “cyclical, with training sessions repeated, optimally ever six months and using interactive or video training measures.”

Need help re-training your team? Contact DarkHound SecOps today for more information on our free cybersecurity assessment and team training (714) 266-3790 or [email protected].

-Emmy Seigler

Source: https://www.zdnet.com/article/phishing-awareness-training-wears-off-after-a-few-months/

Leave a Comment
Read previous post:
Ransomware Turns Deadly When Hospital is Hit by Cyber Attack

Ransomware has always been a costly evil--but now it's turned deadly. German authorities last week shared that a ransomware attack on...