We’ve All Been Wrong: Phishing Training Doesn’t Work www.darkreading.com/endpoint-…

A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren’t having a material impact on employee cybersecurity.

The group of participants with the best outcomes were those who completed interactive training — they were measured to be 19% less likely to click on phishing links thereafter. In other words, companies that deploy the most effective training courses available can expect a quarter of their employees to improve around 20%.

[A study to be introduced at Black Hat USA] leaves open the possibility that certain, unexplored kinds of training could work, like more expensive, one-on-one in-person coaching. Companies might also consider how to incentivize employees to make cybersecurity a part of their jobs — for example, by giving them some financial stake in the company’s future.