Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Why security awareness training doesn’t work — and how to fix it

(John / Unsplash)

By Eric Geller

Government agencies, private businesses and nonprofit organizations have spent decades trying to teach their employees not to click suspicious links or download untrustworthy files, but recent evidence suggests that this cybersecurity awareness training is largely ineffective and possibly even counterproductive.

Organizations rely on cybersecurity education, from phishing simulations to annual webinars, to train their employees to identify and block digital threats. The security industry tells organizations that people are their weakest link and emphasizes training as the solution, and a cottage industry of cybersecurity training programs has sprung up to meet that need. But these programs — a cornerstone of the modern security strategy — are missing the mark.

Common cybersecurity training methods do not significantly reduce people’s likelihood of falling for phishing attacks and in some cases actually make people more susceptible to those attacks, according to a Cybersecurity Dive review of more than a dozen studies and meta-analyses published since 2008. The studies cast doubt on the value of mandatory training, critique the lessons provided to people who fail tests and highlight methodological flaws in earlier research.

Read more at Cybersecurity Dive

Click to listen highlighted text!