Gone Phishing?

A study conducted by PhD researchers at the University of California – San Diego determined that phishing training administered to employees is mostly ineffective.

One significant factor noted was failure to engage on the part of the employees. The supporting statistic was that around three-quarters of the employees studied engaged for a minute or less, and 33 percent closed the training page without doing anything.

This was not a “snapshot”: the research covered over 19,500 employees at the university health service, using ten different phishing schemes. The bottom line was that there was “no significant difference” between trained and untrained subjects in response to the various schemes. Further, performance decreased as time went on during the test. 

The researchers’ bottom line was that technological preventative remedies, such as two-factor authentication, etc., would be more effective than training (and possibly cheaper in time and cost, as well.)