It was a big sample group. The researchers examined nearly 20,000 employees at UC San Diego Health. People who got cybersecurity training were compared to those who got none.
Some people with training were slightly less likely to click on a phishing lure than the untrained. But some trained people were more likely to click.
“And we found that there was no relation to time and your cybersecurity annual training. And so that means even if you had just recently taken it, you are just as likely to click as someone who had taken it 8, 10, 12 months ago,” said Ariana Mirian, one of the co-authors of the study done at UC San Diego.
Phishing is done to gain access to your online information including passwords, banking information or medical records.
The study found some phishing lures worked better than others. For instance, a fake message, that claimed to be from Human Resources, asked you to click on an update to your company’s dress code policy. Lots of people fell for that one.
Even more people fell for a fake message asking recipients to click on an update to their company’s vacation policy.
The UCSD study kept track of cumulative lure clicks over several months, and it suggested that even if you don’t click on the first one you get, pretty soon one of them is likely to get you.
“So what this is showing is that each month, a new set of users is failing,” Mirian said as she pointed to a graph in the study. “So you can imagine if this goes on forever, eventually most people will fail at least one phishing lure.”
Mirian works for the cybersecurity company Censys, and she was completing her Ph.D. at UCSD when she co-authored the study, which was presented at the Black Hat USA convention in Las Vegas this year.
She said given how ineffective cybersecurity training is, it might be better to build more effective security into workplace computer systems.
“Should we as a security community be putting all the time and energy and money into other defenses like multifactor authentication or maybe email spam detection? Things that remove the responsibility from the end user and put it on the system itself,” she said.
Because that training just doesn’t seem to stick to people.
