Eectiveness of Phishing, Training & Understanding the Human Response
Executive Summary
Utilizing security awareness training and phishing security tests can be a useful and eective tool to reduce unintentional insider threats. However, if robust metrics are not put in place to eectively gauge the click rate patterns from a human landscape perspective, phishing tests can create organizational social engineering blind spots. Meaningful phishing assessment metrics should go beyond the click rate, and understand human patterns relative to their job and work environment.
Key Takeaways
• Awareness training makes a dierence in the short and long term. IT and business decision makers should consider how eective training is in the long term when assessing the value of training services.
• “Low hanging fruit” phishing emails still work. It is important to understand the employee level of awareness in terms of levels of phishing email sophistication.
• IT and business decision makers need to be aware of how some types of jobs, and working hours of their employees can aect responses to phishing emails.
• Data-driven phishing evaluations on who is clicking what, and when, can more eectively indicate patterns of phishing vulnerabilities within an organization than the blanket click rate of the overall organization.
• Clear communication with employees regarding IT updates or HR processes can play a vital role in preventing misunderstandings and blocking phishing attempts based on generic company email themes.
About this Whitepaper
This whitepaper reports the results of a 6-month experimental study testing the eectiveness duration of the 40-minute KnowBe4 “Kevin Mitnick Security Awareness Training”. The scope of the experiment was on common workplace phishing emails tested among small to medium size companies. This whitepaper was sponsored by KnowBe4.