Should User Awareness Training Be Eliminated?

phishingHere is an interesting article proving that at least some aspects of security awareness training are useless. A resent study by Eric Johnson of Vanderbilt University showed that training is ineffective at keeping users from falling victim to phishing attacks. The results suggest organizations should instead redirect resources to improving technology controls that stop phishing attacks before they reach end users.

You can not argue with the numbers but this conclusion just seems a little off to me. Maybe there’s a bad assumption or flawed logic at work here? I’ve always been a proponent of taking advantage of both user training and technology controls to help minimize security risks associated with attacks such as phishing. Perhaps results such as these could help organizations refocus their efforts on stopping attacks before they reach users however I do not see reducing user training as an effective approach. If anything we need to do more of it.


Training that’s designed to help workers avoid clicking on links from spear-phishing e-mails may be ineffective because employees often fail to read training materials, says Eric Johnson, a Vanderbilt University professor who’s co-author of a new study on the subject.

And, workers’ failure to understand the consequences of spear phishing has a financial impact. A Cisco analysis shows how a single spear-phishing campaign can generate as much as $150,000 in profits, vs. $14,000 for a mass phishing attack.

“My old friend [chief security officer] John Stewart at Cisco says all links want to be clicked,” Johnson, dean of the Owen Graduate School of Management at Vanderbilt, says in an interview with Information Security Media Group. “There’s just something in there, even for the most astute security folks. When you get a link that looks like it’s real, looks like it came from a friend, has a compelling message, it’s very hard to pull the finger back from the mouse.”

Continued here.


Today’s post pic is from


13 comments for “Should User Awareness Training Be Eliminated?

  1. January 22, 2014 at 5:03 pm

    Interesting article: Should User Awareness Training Be Eliminated? #cybersecurity #infosec #FedRAMP

  2. January 22, 2014 at 5:28 pm

    #NOVABLOGGER: Should User Awareness Training Be Eliminated?

  3. JT
    January 23, 2014 at 2:20 am

    There will always be a vector IMO. My parents didn’t even realize that they not only had remote functions on their answering machine BUT THAT IT WAS SET TO DEFAULT PASSWORD. They had been getting strange activity, unexplained deleted messages, lost business, people having information they could not have guessed otherwise. A basic user cannot be a security expert unfortunately

  4. January 23, 2014 at 2:30 am

    Should User Awareness Training Be Eliminated?

  5. January 23, 2014 at 7:58 am

    JT: Agreed … but the more of the basics they know, the better off we will be.

  6. January 23, 2014 at 11:01 am

    Should User Awareness Training Be Eliminated? Find out more here #infosec

  7. January 23, 2014 at 4:04 pm

    Should User Awareness Training Be Eliminated? Find out more here #infosec

  8. JT
    January 24, 2014 at 12:03 am

    Ya. Guess you gotta try at least.

  9. January 24, 2014 at 10:00 am

    The problem with these so called IT “studies” is that the sample size is still incredibly small. In order to eliminate error, you’d need tens of thousands to begin to validate it. Since the study is behind a paywall, I haven’t analyzed the methodology, but the main problem I have with all of them is that they don’t ask the right question. Is the problem that training is ineffective or that BAD training is ineffective. Training works in plenty of other areas, but we don’t actually do security training very well at all. It’s as if we’re trying to bore our users to death.

  10. January 24, 2014 at 10:18 am

    This is a much more interesting study on user behavioral responses to phishing:
    “Pilot study of cyber security and privacy related behavior and personality traits”

  11. January 24, 2014 at 2:04 pm

    Should User Awareness Training Be Eliminated? Find out more here #infosec

  12. JT
    January 27, 2014 at 1:02 am

    Neat Michele, I don’t have jstor access any more so any research online and free is well appreciated 🙂

  13. January 27, 2014 at 9:32 pm

    Michele: Excellent resources there. Nice to have some counter-evidence.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.