Phishing awareness training wears off after a few months
Security and phishing awareness programs wear off in time, and employees need to be re-trained after around six months, according to a paper presented at the USENIX SOUPS security conference last month.
The purpose of the paper was to analyze the effectiveness of phishing training in time.
Also: Phishing campaigns, from first to last victim, take 21h on average
Taking advantage of the fact that organizations in the German public administration sector must go through mandatory phishing awareness training programs, academics from several German universities surveyed 409 of 2,200 employees of the State Office for Geoinformation and State Survey (SOGSS).
Researchers tested the effectiveness of the phishing training over time, with periodic tests at regular intervals, to determine when SOGSS employees would lose their ability to detect phishing emails.
Employees were split into multiple groups and tested four, six, eight, ten, and twelve months, respectively, after receiving an on-site phishing training course.
The research team found that while the survey takers were able to correctly identify phishing emails even after four months following the initial training, this was not the case after six months and beyond, with a new training being recommended.
Video and interactive training works best
Researchers also developed their own “reminders” in order to “replenish the employees’ phishing awareness and knowledge,” which they used to re-train employees after taking their survey, and again six and twelve months later.
“We developed four different ones,” academics said.
“Four reminder measures were distributed to four groups (one per group): (a) text, (b) video measure, (c) interactive examples, and (d) a short text.
“Twelve months after the tutorial, we compared the knowledge retention of the four reminder groups […]. Among the four reminder measures, the video measure and the interactive examples measure performed best, with their impact lasting at least six months after being rolled-out.”
Academics concluded that while training employees in detecting phishing emails might help organizations fend off some attacks, this training needs to be cyclical, with training sessions repeated, optimally every six months and using interactive or video training measures.
Additional details about the research team’s work can be found in a paper named “An investigation of phishing awareness and education over time: When and how to best remind users” [PDF here or here].