Here is an interesting article proving that at least some aspects of security awareness training are useless. A resent study by Eric Johnson of Vanderbilt University showed that training is ineffective at keeping users from falling victim to phishing attacks. The results suggest organizations should instead redirect resources to improving technology controls that stop phishing attacks before they reach end users.
You can not argue with the numbers but this conclusion just seems a little off to me. Maybe there’s a bad assumption or flawed logic at work here? I’ve always been a proponent of taking advantage of both user training and technology controls to help minimize security risks associated with attacks such as phishing. Perhaps results such as these could help organizations refocus their efforts on stopping attacks before they reach users however I do not see reducing user training as an effective approach. If anything we need to do more of it.
Training that’s designed to help workers avoid clicking on links from spear-phishing e-mails may be ineffective because employees often fail to read training materials, says Eric Johnson, a Vanderbilt University professor who’s co-author of a new study on the subject.
And, workers’ failure to understand the consequences of spear phishing has a financial impact. A Cisco analysis shows how a single spear-phishing campaign can generate as much as $150,000 in profits, vs. $14,000 for a mass phishing attack.
“My old friend [chief security officer] John Stewart at Cisco says all links want to be clicked,” Johnson, dean of the Owen Graduate School of Management at Vanderbilt, says in an interview with Information Security Media Group. “There’s just something in there, even for the most astute security folks. When you get a link that looks like it’s real, looks like it came from a friend, has a compelling message, it’s very hard to pull the finger back from the mouse.”
Today’s post pic is from AllSpammedUp.com.