Security awareness training doesn’t solve human risk

Traditional employee risk mitigation efforts such as security awareness training and phishing simulations have a limited impact on improving employees’ real-world cybersecurity practices, according to Elevate Security and Cyentia Institute.

The report examined malware, phishing, email security and other real world attack data and found that while security training results in slightly lower phishing simulation click rates among users, it has no significant effect at the organizational level or in real-world attacks.

Moreover, an increase in simulations and training can be counterproductive, with the report finding that users with five or more training sessions are actually more likely to click on a phishing link than those with little or no training. Key findings include:

• A small percentage of users (~7%) ever execute or download malware but that grows to 31% among departments. And the chances of someone introducing malware to enterprise assets balloon to 100% at the organizational level.
• Additional training has no effect: 11.2% of users who had only one training session clicked on a phishing link, whereas 14.2% of those who had five training sessions clicked on the link.

“With nearly two-thirds of data breaches tied to human risk, we sought to truly understand the root cause – human error, which has long been considered one of cybersecurity’s longest unsolved problems,” said Masha Sedova, chief product officer of Elevate Security.

“The data found conclusively that traditional security awareness training and mock phishing exercises have little effect on protecting the organization. These one-size-fits-all programs fulfill compliance and audit purposes but aren’t doing a good job at actually reducing risk.”

Individuals score better than groups

Training and simulation can have a limited effect on the risky behaviors of individual users, and there is no meaningful change in risk exposure at the organization level. For example, phishing simulations offer some encouragement in isolation: only 6% result in users getting hooked.

Across multiple simulations, those encouraging signs begin to wane as 40% of users fall for the phish and two-thirds of departments get duped. Looking at click rates across the entire organization, there’s a mere certainty that someone will eventually take the bait.

Organizational hierarchy and demographics play a role

When measuring rank-and-file employees, managers and contractors, the employees were the most likely to click on phishing links, and those working toward the bottom of the org chart are more likely to have malware infections and fail simulated phishing tests.

Between 7-10% of employees on the bottom of the org chart had malware vs. about 1% for those at the top; between 17-24% of employees on the bottom of the org chart clicked on phishing emails vs. between 3-10% of those at the top. This illustrates that demographics are as important and often more instructive to assessing human risk as the interventions designed to reduce it.

Password managers correlate with reduced levels of human risk

Users with active password managers are 19 times less likely to download or execute malware than those without them. From this data, it’s reasonable to infer that good behavior in one area rolls over to good behaviors elsewhere.

Moreover, those at the top of the org chart are more likely to have password managers, with almost 30% of managers using password managers vs. 20% of employees.

“Enterprises spend millions of dollars on security technology only to still be on a hamster wheel of responding to incidents caused by simple errors,” said Robert Fly, Elevate Security’s CEO.

“All that tech spending and management means nothing if there isn’t a way to protect the human attack surface by benchmarking human risk and establishing appropriate controls and restrictions on the employees who are most frequently attacked. Using a more holistic approach to understanding and managing the human attack surface gives CISOs unique insights into high risk groups, strengthening their overall cyber defense strategy.”