New Study Reveals Gaps in Common Types of Cybersecurity Training

A recent study led by Assistant Professor Grant Ho from The Department of Computer Science sheds new light on the effectiveness of common cybersecurity training methods. Conducted in collaboration with UC San Diego Health, the research scrutinizes how well these training sessions prepare employees to defend against phishing attacks in real-world scenarios.

Phishing attacks, where cybercriminals imitate legitimate entities to steal sensitive information, have become increasingly prevalent and costly, resulting in billions of dollars in losses annually. Organizations often employ annual cybersecurity training programs to equip their employees against such threats, but Ho’s study suggests these methods may need significant improvement.

The study tracked user interactions at UC San Diego Health over eight months, focusing on employees’ susceptibility to phishing attacks. The findings were striking: there was no significant correlation between how recently employees had completed their annual cybersecurity training and their ability to avoid phishing traps. Employees who had just undergone training performed no better in simulated phishing attacks than those who had not received training for over a year.

“Employees at almost every organization are often required to do some form of annual cybersecurity training as a result of insurance or regulatory requirements,” said Ho. “Our study suggests that these requirements are probably not providing good value in their current form.”

The ineffectiveness of traditional cybersecurity training indicates that organizations should look into investing in other defenses, such as multi factor authentication, to better protect themselves against phishing threats. While traditional training may raise awareness, it alone is not sufficient to safeguard sensitive information against evolving cyber threats.

Beyond annual training, the study also evaluated embedded phishing training—exercises where employees receive immediate educational content after clicking on a phishing link. While users in the training groups showed a slight improvement over control groups, the overall protective effect was modest. Many employees spent less than a minute on the training page, with a significant portion exiting immediately, highlighting a lack of engagement.

“Research in usable security and privacy has long suggested that users, like company employees, view security as a secondary goal,” explained Ho. “So it’s not too surprising that employees immediately try to exit or bypass training. These results mean that it will be hard for these common forms of training to meaningfully teach users protective behaviors, without a major rethinking and redesign of the training.”

The research further revealed that interactive training methods yielded better outcomes than static, informational approaches. Employees who completed interactive training sessions were less likely to fall for phishing scams in subsequent tests. Although these results show that more engaging and dynamic training can be more effective at enhancing employees’ cybersecurity awareness, the improvements produced by this training still fall short given how effective modern phishing attacks are.​

Ho’s study underscores a broader and more critical need for scientific research that rigorously and independently examines the value and efficacy of common security practices. Many of these practices, such as annual training, are often mandated by insurance or regulation but lack substantial public scientific evidence supporting their effectiveness.

“Overall, our study suggests that businesses need to invest in a comprehensive approach to protecting against phishing attacks, with defenses like multifactor authentication and automated phishing detection.”

Consider real-world scenarios, such as the massive data breaches at companies like Target and Equifax, where millions of users’ information was compromised. Ho’s findings emphasize that relying on outdated training methods is akin to leaving organizational defenses vulnerable, and they need to rethink their reliance on traditional security practices without substantial scientific backing. Cases like the Target and Equifax breaches serve as reminders that unvalidated security measures may leave organizations exposed to significant risks.

The findings from this research underscore the need for organizations to adopt more interactive and engaging training methods to enhance their cybersecurity defenses. As phishing attacks become increasingly sophisticated, insights from Ho’s study are especially timely for developing stronger protection strategies. With phishing threats evolving, effective training methods and rigorous evaluations of security practices are crucial for safeguarding sensitive information and maintaining trust in digital systems.
In addition to improved training, organizations should invest in other defenses, such as multi factor authentication, to better protect themselves. More broadly, there is an urgent need for scientific research that independently and rigorously examines the value and efficacy of standard security practices. Many of these practices, particularly those mandated by insurance or regulation, often lack substantial public, scientific evidence supporting their effectiveness.

Ho emphasizes that the key takeaway from the study is the critical need for further scientific inquiry to validate these security measures. This need is an active line of research for Ho’s group, exploring and providing solid evidence for the efficacy of various cybersecurity practices. By grounding these practices in solid evidence, organizations can more effectively defend against evolving threats.