- Statistical comparisons reveal no significant improvement among employees who had completed recent training as compared to those without such experience.
- Organisations need to recalibrate their expectations regarding the impact of both annual security awareness training and standard embedded phishing interventions as they are typically implemented today.
A significant new study has cast serious doubt on the practical effectiveness of standard cybersecurity training programs in reducing organisational vulnerability to phishing attacks.
Despite extensive awareness efforts, recent research indicates that such initiatives may offer negligible protection against real-world social engineering threats.
Over an eight-month period, researchers from UC San Diego, University of Chicago, and UC San Diego Health conducted a rigorous experiment within a major US healthcare organisation.
The study involved ten rounds of simulated phishing campaigns delivered to more than 19,500 employees, aiming to objectively assess the efficacy of various cybersecurity training modalities.
Key findings
The principal finding of this analysis is that recent participation in cybersecurity awareness training activities did not lead to a measurable reduction in the likelihood of falling victim to simulated phishing.
Statistical comparisons revealed no significant improvement among employees who had completed recent training as compared to those without such experience.
Alarmingly, the data further demonstrated that personnel who had undergone several static cybersecurity courses were marginally more likely to fail phishing tests, suggesting that repetition of conventional content may contribute to disengagement or “training fatigue.”
Marginal benefits of embedded training
One subtle exception was observed: participants who encountered an embedded, real-time phishing intervention—such as an immediate notification when clicking on a simulated phishing link—showed an extremely modest reduction in subsequent failures, amounting to only a 1.7% improvement.
The result, however, underscores the overall minimal impact of traditional training approaches.
The research highlighted the scale of the problem. More than half of all users (56%) clicked on at least one fabricated phishing email during the study period.
Repeated susceptibility was substantial, with approximately 26% of users failing two or more simulations, and nearly 10% falling for at least three out of ten attempts. Notably, one individual responded to every single phishing simulation.
The most effective phishing lures were themed around ubiquitous workplace scenarios, such as vacation policy updates, dress code notifications, and traffic ticket warnings.
The most successful campaign, purportedly from human resources about an “Updated vacation and sick time policy,” deceived 30.8% of recipients.
Analysis of user behaviour during post-failure training sessions revealed worrying levels of disengagement. Over half of sessions lasted fewer than ten seconds, and less than a quarter of participants completed the training material in full. This pattern suggests that many employees view such training solely as a compliance exercise rather than a meaningful educational opportunity.
Implications and recommendations
Despite substantial organisational efforts, failure rates consistently exceeded 15% in most phishing simulations, regardless of training frequency or form.
The study did not propose specific solutions, but it emphasised the urgent need for future initiatives to focus on improving user engagement and the overall effectiveness of phishing awareness strategies.
Based on robust empirical evidence, the researchers concluded that organisations should recalibrate their expectations regarding the impact of both annual security awareness training and standard embedded phishing interventions as they are typically implemented today.
Discover more from TechChannel News
Subscribe to get the latest posts sent to your email.
