Effectiveness of Phishing, Training & Understanding the Human Response
Utilizing security awareness training and phishing security tests can be a useful and effective tool to reduce unintentional insider threats. However, if robust metrics are not put in place to effectively gauge the click rate patterns from a human landscape perspective, phishing tests can create organizational social engineering blind spots. Meaningful phishing assessment metrics should go beyond the click rate and understand human patterns relative to their job and work environment.
- Awareness training makes a difference in the short and long term. IT and business decision-makers should consider how effective training is in the long term when assessing the value of training services.
- “Low hanging fruit” phishing emails still work. It is important to understand the employee level of awareness in terms of levels of phishing email sophistication.
- IT and business decision-makers need to be aware of how some types of jobs and working hours of their employees can affect responses to phishing emails.
- Data-driven phishing evaluations on who is clicking what, and when, can more effectively indicate patterns of phishing vulnerabilities within an organization than the blanket click rate of the overall organization.
- Clear communication with employees regarding IT updates or HR processes can play a vital role in preventing misunderstandings and blocking phishing attempts based on generic company email themes.