Study concludes cybersecurity training doesn't work:
It was a big sample group. The researchers examined nearly 20,000 employees at UC San Diego Health. People who got cybersecurity training were compared to those who got none.
Some people with training were slightly less likely to click on a phishing lure than the untrained. But some trained people were more likely to click.
"And we found that there was no relation to time and your cybersecurity annual training. And so that means even if you had just recently taken it, you are just as likely to click as someone who had taken it 8, 10, 12 months ago," said Ariana Mirian, one of the co-authors of the study done at UC San Diego.
Phishing is done to gain access to your online information including passwords, banking information or medical records.
The study found some phishing lures worked better than others. For instance, a fake message, that claimed to be from Human Resources, asked you to click on an update to your company's dress code policy. Lots of people fell for that one.
Even more people fell for a fake message asking recipients to click on an update to their company's vacation policy.
The UCSD study kept track of cumulative lure clicks over several months, and it suggested that even if you don't click on the first one you get, pretty soon one of them is likely to get you.
"So what this is showing is that each month, a new set of users is failing," Mirian said as she pointed to a graph in the study. "So you can imagine if this goes on forever, eventually most people will fail at least one phishing lure."
Mirian works for the cybersecurity company Censys, and she was completing her Ph.D. at UCSD when she co-authored the study, which was presented at the Black Hat USA convention in Las Vegas this year.
She said given how ineffective cybersecurity training is, it might be better to build more effective security into workplace computer systems.
"Should we as a security community be putting all the time and energy and money into other defenses like multifactor authentication or maybe email spam detection? Things that remove the responsibility from the end user and put it on the system itself," she said.
Because that training just doesn't seem to stick to people.
(Score: 5, Insightful) by canopic jug on Saturday November 08, @06:03AM (5 children)
This is just more victim blaming. If people are given software and told that the purpose of said software is to click on links then don't blame them for actually clicking on the links. Instead blame the manufacturers of said software for selling something which is clearly not fit-for-purpose. If your software is not designed to execute random input as if it were code, then worms and viruses would not be an issue. They'd just be random data.
No, the fault here does not lie with those doing the clicking. The fault lies with the software. And, truthfully, if managers have not learned over 40 years of history that m$ products are not fit-for-purpose, then the fault really lies with them for signing off on and deploying such crap in the first place.
Money is not free speech. Elections should not be auctions.
(Score: 4, Touché) by Ingar on Saturday November 08, @10:15AM (1 child)
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs,
and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."
Love is a three-edged sword: heart, soul, and reality.
(Score: 3, Touché) by pe1rxq on Saturday November 08, @01:58PM
It also doesn't help that the universe succeeded in infiltrating the software engineers. There are quite some idiots among us.
(Score: 2, Touché) by c0lo on Saturday November 08, @11:45AM
If your freeway is not designed to carry traffic at high speed for random cars, then bank robbers using escape cars would not be an issue.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Saturday November 08, @08:57PM
(Score: 3, Interesting) by corey on Sunday November 09, @02:23AM
100%.
On the train the other day I was berating the autoplay feature of Windows for CDs and USB drives. That feature is responsible for so much virusware, well it was a while back. The point is, the software is insecure by default.
> She said given how ineffective cybersecurity training is, it might be better to build more effective security into workplace computer systems.
Great, more Crowdstrike and Avast bloatware and insecurity, incoming.
(Score: 0) by Anonymous Coward on Saturday November 08, @11:50AM (3 children)
Like in "Cybersecurity Training Concludes Study Doesn't Work Either". Which is not surprising at all, if one studies, the one doesn't work.
(Score: 5, Interesting) by canopic jug on Saturday November 08, @01:51PM
In practice, it's not possible to teach cybersecurity any more. Companies have captured the schools, eliminated their IT departments, and thus removed the ability to cover key activities related to not just cybersecurity but teaching in general. Dr. Andy Farnell did a lengthy analysis of the problem of the reasons behind why we can't teach cybersecurity any more:
Money is not free speech. Elections should not be auctions.
(Score: 2) by driverless on Sunday November 09, @08:12AM (1 child)
Is it just me or is that study pretty much bogus? I didn't read the entire 18 pages but from a quick scan they didn't check whether anyone was phished, merely whether they clicked on a link. I'm pretty sure I can come up with something that 100% of my co-workers will click on, but I'm also pretty sure that 0% will enter their credit card details once they get there.
(Score: 0) by Anonymous Coward on Wednesday November 12, @03:32PM
I have had to carefully slowly and clearly explain to my father that Microsoft does not provide support, does not post thier phone number on web sites, and most certainly do not care about his PC. At all. Ever.
If in doubt, open Microsoft.com and try to contact them for PC support.
My father was blocked downloading one of the remote admin tools because the web browser blocks .exe files by default. Smart move. They should block remote admin tool downloads by default unless specifically enabled until this nonsense goes away.
This is only getting worse. Yes, people are stupid, even highly educated people like my father, when it comes to being tricked like this.
How did we even get here :( this is our future. It is meant to be great. The golden age of information. Humanity sucks.
(Score: 5, Insightful) by turgid on Saturday November 08, @01:30PM (2 children)
In the corporate world, the email clients they give you (MS Lookout/Outbreak) are rubbish. They go out of their way to make it difficult to see the real sender of an email and all sorts of other usability nonsense. People pay money for this. I know they use C++ at Microsoft. This should be a trivial problem to solve.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 4, Insightful) by looorg on Saturday November 08, @01:46PM (1 child)
Yes. This is a big problem. Modern day software hides a lot of things from the user. That they don't think they need to know. Or are just "information overflow" of some kind. Such as not showing complete email addresses instead they just show the title or name of the sender, which can be altered easily. So they kind of have themselves to blame here. But why are they even disseminating organizational information in this way? Why do they allow outside emails at all? Since they knew from the start that training was crap. Why not just go in an fix the emails. Just sanitize them on principle. No outside emails. No links. No documents. IF you need them you have to call IT and have them "clear" you for that.
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 12, @03:35PM
funny funny for you..
my last name is the same as one of our Big Bosses
so guess what happens with that 'email condensed to a tab' thing?
right. I keep getting sensitive and confidential emails intended for the Big Boss
People don't even realise. The names are close enough that it looks right.
I have deleted so many of these emails. So so many. I don't even bother replying anymore. Delete. Delete. Delete.
This used to happen every so often but ever since this 'minimise the details' trickery in Outlook came in it has just gotten worse.
(Score: 3, Interesting) by looorg on Saturday November 08, @01:42PM (3 children)
Overall it puts all the employees in a dilemma. Ignore link, if that is correct you'll have HR up your rectum for some clothing violation, a complaint, your parking permit was revoked or your vacation days for the next decade is now assigned at random. Click link. Which may or may not be a scam. So guaranteed to be bad vs might be bad. Better click link. Cause HR notes are always bad and everyone hates HR Karen.
That said I consider them all the be scams on principle. I have never received a clothing code update email. They provide the uniform. If they wanted to update the dress code just put a note on the wall where you pick up your uniform for the day, it's a hospital so I assume it's the same here as there. You just pick them out of a large wardrobe every day at the start of your shift. When finished I just toss them in the laundry bag. I'm not responsible for cleaning it. The dress code might be if you are allowed to have knick-knacks, jewelry or whatnot. But that thing have not been updated in eons. It's no perfumes, no jewelry, be clean and tidy.
At the end of the PDF they explain the eight different "scams", yet show none of them. The issue with them being that email programs these days often hide a lot of information about the sender. If it has said the email was from hr@fakehospital.com then it would have been a dead give away. That said does staff even need email? Do they need to receive email from outside the organization? No? Then why are you allowing it! So if it just says "HR" then that is a problem. So they are just bad systems. I don't know about working at UC San Diego Health. But do they share a lot of information and documentation over One Drive and such? That seems like an issue if they do. What information that the staff needs is shared over email?
Here they inject text in all emails if the email is from outside the organization. It's a note in all caps at the top and bottom telling you that this is an email from outside the organization. If they could get it to blink and shit they probably would. Don't click anything! I wonder why we even get them. They should just bounce them on principle. It's basically always pointless emails. That you never need to read or respond to.
I would have like to see data separated by field. Not if they took the training seminar or not. One knew from the start that that would be bullshit. As in are doctors and nurses working ER better or worse then say the janitor or Karen over at HR? Some staff have more important tasks to take care of. So high stress departments vs more low stress departments. But it was just got training or not.
If training doesn't work then it's a problem with the training. Not the staff. You have shit training that is nothing but security theater. You might think they take this really seriously. They don't. They just want to get back to their actual job. At best they see this "training" as a few hours rest and there may have been free doughnuts.
(Score: 2) by PiMuNu on Saturday November 08, @03:35PM
Agree.
I get loads of random crap from HR/people who should know better with links to wanksurvey,com or clickbait.com which I am supposed to follow. The worst culprit is our cr*ppy new Oracle corporate finance package, bought for a gazillion dollars. Larry Ellison laughing all the way to the bank.
(Score: 0) by Anonymous Coward on Saturday November 08, @04:33PM
One way to avoid HR -- work for a small company that doesn't have an HR department. Yes, it probably pays less, and the fringe benefits might not be as good. But working with a small group can be really rewarding.
(Score: 2) by sgleysti on Saturday November 08, @08:27PM
All the test phishing emails where I work have data in the email headers indicating that they're test phishing emails. It takes a bit of work to open the dialog that displays the headers and some scrolling and skimming, but I can usually find out for sure in a minute or two.
Sometimes emails from the higherups really do look like phishing, lol, so I check...
(Score: 4, Insightful) by Gaaark on Saturday November 08, @04:38PM (4 children)
I've had this 'training'.
If you click the wrong link, you get a message saying "WHOA, you are an idiot!" (basically)
If you don't click the link your boss legitimately sent you because you were 'suspicious', you don't make your boss happy... and you want your boss happy. So you click.
This makes EVERYONE an idiot.
It needs to be made that clicking the link doesn't send your operating system into a colonoscopy.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by sgleysti on Saturday November 08, @08:25PM
All our test phishing emails at work have data in the email header indicating that they're phishing emails sent by the third party company that does cybersecurity training.
Some emails sent by upper management really look like phishing attempts, so I check the headers.
(Score: 2, Informative) by Anonymous Coward on Saturday November 08, @09:33PM (2 children)
Worse here, a customer required us to go through security training from a third party site. The link to that site was given in an email link.
And the site had a phishy name: https://www.knowbe4.com/ [knowbe4.com]
AND asked for credentials...
🤣
(Score: 1, Informative) by Anonymous Coward on Sunday November 09, @02:11AM
(Score: 0) by Anonymous Coward on Wednesday November 12, @03:39PM
That's a good one.
Our company switched to a new training provider without making grand announcements, who then sent out introduction emails to ask people to 'sign up' which confused people and then a whole bunch of phishing emails which looked like they came from that provider came through leading people to just block or delete all of them and then the company had to make repeated announcements about how the training provider was legit and can people please stop deleting emails from them but it's way too late because most people hate the company due to previous experience and already created auto delete email rules and now management send out regular emails trying to tell people to sign up to the company they have probably paid big bucks to for which few people are using