The U.S. Postal Services received some frustrating news in early October from the Office of the Inspector General on the effectiveness of its security awareness training program.
An internal USPS phishing simulation campaign found that more than 25 percent of the 3,125 employees who were tested clicked on a phony link. What’s more, 93 percent of the baited employees didn’t report the incident to the USPS Computer Incident Response Team, according to the report.
The testing came less than a year after a USPS data breach that compromised the personal information of 800,000 employees, as well as some customers who contacted the government. The November 2014 cyber intrusion appeared to be caused by a phishing email attack, according to the report. USPS already had annual security awareness training available to all employees with network access.
Such discouraging results beg the question: How much security awareness training is enough before employees actually get it?
Malcolm Gladwell contended that 10,000 hours was the magic number for achieving mastery of a skill in his book “Outliers,” but who has that kind of time?
Sports psychologists suggest that motor memory for a new skill can be achieved with about 15 repetitions, but detecting sophisticated and often subtle phishing scams is much more complicated than memorizing plays.
“With motor memory skills, perfect practice makes perfect, and every repetition improves things, but when it comes to changing behavior, such as trying to keep people from being snookered by phishing scams, it’s a whole different kettle of fish,” says Dr. Gregg Martin, a cognitive-behavioral practitioner and a board certified neuropsychologist in Canton, Ohio. “If you tell a professional something more than two or three times, they tend to tune you out.”
The answer to how much repetition is needed before employees can consistently identify phishing scams and other online threats lies somewhere between once a year and constant reinforcement to the point of paranoia, according to researchers and security professionals.
A starting point
“I wish the answer was ‘five times,’” says Tom Pendergast, chief strategist for security, privacy and compliance at MediaPro, which provides security awareness training. “But in reality, it’s more about repeating training and phishing simulations until you’ve raised the general level of awareness, and sometimes even paranoia, to where people are really, really looking out for these [scams].
For starters, once-a-year security awareness training is probably not enough, psychologists say. Humans tend to halve their memory of newly learned knowledge in a matter of days or weeks unless they consciously review the learned material.
Carnegie Mellon University’s CyLab studied 500 people who where sent fake phishing emails one month apart. Those who clicked on the first email scam were immediately identified and given training on what to look out for in the future. One month later, the number of people who fell for the simulated phishing email dropped by 50%. Over three months, the failure rate was cut in half each time the test was given. The study, conducted in 2009, did not look at retention beyond three months.
CyLab professor Jason Hong, an author of the study, believes the research findings still hold true today. “The only thing that’s really new is that there are a lot more communication channels [besides email.] Now people try phishing attacks on Facebook or Twitter, but the general theme is still essentially the same. We haven’t seen any major new innovations in phishing attacks, other than the attacker may have more information about you.”
While phishing simulation does provide that “Aha!” moment for many employees, it doesn’t solve all their security awareness issues, says Joe Ferrara, president and CEO of Wombat Security Technologies. “You have to follow that up with in-depth education.”
Pendergast recommends starting off by providing security education on a quarterly basis. Once you determine how many repeat offenders are out there, then “tailor your phishing exercises to your audience,“ Pendergast says. For instance, if the sales team is shown to be more susceptible to phishing lures, then send phishing simulations and reminders on a monthly basis.
He also recommends a quarterly refresh on other security awareness methods. “Maybe you’ve got a fun video about phishing that you put out in the first quarter. Then maybe do something on incident reporting in the second quarter. We know that reporting a phishing incident is just as important as not replying to them, so IT can identify where the threat is coming from and go after it,” he adds.
Employees learn faster with ‘conditions’
Famous American psychologist B.F. Skinner taught mice how to push a lever in a single try – when the lever dispensed food. He called it a “conditional relationship.” Companies use that same psychology today to reward employees who detect and report phishing scams, or sometimes even to penalize them for phishing blunders.
One company that is looking to drive down phishing incidents to below 1% has gone as far as to tie phishing failures into its compensation system, Ferrara says, referring to a customer. “When people do fall for the simulated attacks, they are actually looking at it as part of the methodology in their bonus formula,” he says.
[ ALSO ON CSO: Does security awareness training even work? ]
Rewards (even small ones) are more common for employees who can detect real phishing scams. At safety science company UL LLC, when employees detect and report a phishing scam the security team gives them validation by sending them a thank-you note and copying their supervisors, the head of the business unit and occasionally the CEO. “That goes a long way,” says Steve Wenc, senior vice president and chief risk officer.
Insurance provider XL Group created several videos around protecting company information, including from phishing scams, and issued a challenge to employees -- for every view of the video, the company would donate a dollar to Doctors Without Borders, an international medical humanitarian organization that provides aid in nearly 70 countries. The campaign exceeded its goal of 10,000 views, raising $10,000 for the organization.
Human nature is tough to change, and the constant threat of cyber attacks will keep security awareness training on companies’ agendas, but how often to train and test will depend on the desired results, Ferrara says.
“It’s a constant battle,” Ferrara says. “Just like anything else, nothing is 100%, but you’re always trying to reduce your risk.”