Phishing attacks continue to pose a significant threat to employees and organizations alike. We’ve all been part of phishing awareness training, and we’ve all gone through annoying tutorials and humiliating simulated phishing, but how effective are they? Our new study in Computers & Security takes a deep dive into this. The study is the fruit of the Master’s thesis by Doron Hillman, advised by Yaniv Harel, Ph.D and myself.

We have conducted a series of controlled experiments at an Israeli institution with ~5,000 employees, using three simulated phishing emails, controlling for content delivery, and so forth. We examined different factors that influence the phishing Click-Through Rate (CTR). Our key findings are:

1. Simulated emails work (Sorry employees!🙈)
2. Training timing & content don’t significantly affect phishing CTR.
3. Employees interact more with personalized phishing emails.
4. Phishing CTR varies across business units.

We highlight the importance of adopting a data-driven approach in training and emphasize that employee awareness and proactive behavior are critical.
The research is a call to action for information security officers to establish data-driven and effective phishing awareness programs. Link at the first comment.

The paper’s pre-proof can be downloaded from Computers & Security.