Security News > 2021 > May > Security awareness training doesn’t solve human risk

Security awareness training doesn’t solve human risk
2021-05-12 03:00

Traditional employee risk mitigation efforts such as security awareness training and phishing simulations have a limited impact on improving employees' real-world cybersecurity practices, according to Elevate Security and Cyentia Institute.

The report examined malware, phishing, email security and other real world attack data and found that while security training results in slightly lower phishing simulation click rates among users, it has no significant effect at the organizational level or in real-world attacks.

An increase in simulations and training can be counterproductive, with the report finding that users with five or more training sessions are actually more likely to click on a phishing link than those with little or no training.

Additional training has no effect: 11.2% of users who had only one training session clicked on a phishing link, whereas 14.2% of those who had five training sessions clicked on the link.

"The data found conclusively that traditional security awareness training and mock phishing exercises have little effect on protecting the organization. These one-size-fits-all programs fulfill compliance and audit purposes but aren't doing a good job at actually reducing risk."

"Enterprises spend millions of dollars on security technology only to still be on a hamster wheel of responding to incidents caused by simple errors," said Robert Fly, Elevate Security's CEO. "All that tech spending and management means nothing if there isn't a way to protect the human attack surface by benchmarking human risk and establishing appropriate controls and restrictions on the employees who are most frequently attacked. Using a more holistic approach to understanding and managing the human attack surface gives CISOs unique insights into high risk groups, strengthening their overall cyber defense strategy."


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/iOo5fkoW-6E/