Phishing Training Effectiveness: Analyzing Employee Concerns

Chris H. · 2025-08-18T13:38:27.803Z

This news was dropped by one of our employees a few hours ago in our intranet, potentially creating quite some rumble/controversies: https://www-heise-de.translate.goog/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Trainin[…]ml?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp (https://www-heise-de.translate.goog/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Training-fast-immer-wirkungslos-10539174.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp) (original without translation: https://www.heise.de/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Training-fast-immer-wirkungslos-10539174.html) I wonder what your thoughts are on this: • on the study itself, • on what to answer regular employees thinking this now is the one and only truth • and on the question not being answered by the study: "So, what else should be done to effectively protect companies from phishing?"

7 comments

· Sorted by Oldest

Thomas O.
·
·
Fascinating study and, I think, broadly correct for the majority of cases. We could debate specific %s, but I don't think we'd reach 50%
Thomas O.
·
·
Hmm, I've read it again in more detail. Yes of course, if your training completion rates are low, the training is going to deliver low value. That's a given. Techniques to raise that completion rate is an interesting conversation though
Thomas O.
·
·
I do think the study misses a core point. I think of basic security training and phishing simulations alone (with required good completion rates) as part of the minimum bar for regulatory compliance and to secure our cybersec insurance coverage. That alone is vital to an organisation's security posture.
💯1
Thomas O.
·
·
To be reliably secure against medium complexity attacks I'd argue that training and sims form a valuable part of defence in depth. If you can tune those low(er) cost services to deliver a, say, 30% benefit in reducing vulnerability to more targeted attacks like those targeting internal changes or vacation allowance (which suggest) a level of bespoke targeting, you're already delivering a very meaningful risk reduction for the business. Beyond that, it's careful access control design, containment and resilience, reduction in blast radius though tight permissioning, auditability of actions, etc, right?
Thomas O.
·
·
This is with my SoSafe cap off. Until recently I was myself very dismissive of security awareness training and thought of it as a compliance checkbox only, but in hindsight I was leaving available risk reduction on the table. Some training and sims are better than others, programmes can be rolled out and sustained differently to different effects. We're not going to revolutionise the behaviour of our peers with training and sims alone, but I definitely think they're still worth it.
👍1
Thomas O.
·
·
Fun fact from my deep past - I once ran a security culture programme for an organisation of about 6000 employees. I just about managed to double the average success rate for resilience against targeted phishing with a small but sustained effort over a year. The company subsequently got compromised regardless, but I'm confident that the improvement in secure behaviours saved us from other attacks, and after the compromise we got to enact some sweeping access control changes against risks we'd previously raised. 😉
💯1
Chris H.
·
·
Thanks for your thoughts and several good points Thomas which I'd largely agree with. Doing nothing is not an option right, so that's why I double your last statement (how huge would the attack surface/actual number of successful attacks be without any proper training measures? Hopefully most will never find out.). In my opinion the study really can and should be a starting point for further future research worth monitoring them, hopefully giving a few answers to the "Well, if this is true - so what else to do?" question.
💯2

Thomas O.
·
·
Fascinating study and, I think, broadly correct for the majority of cases. We could debate specific %s, but I don't think we'd reach 50%
Thomas O.
·
·
Hmm, I've read it again in more detail. Yes of course, if your training completion rates are low, the training is going to deliver low value. That's a given. Techniques to raise that completion rate is an interesting conversation though
Thomas O.
·
·
I do think the study misses a core point. I think of basic security training and phishing simulations alone (with required good completion rates) as part of the minimum bar for regulatory compliance and to secure our cybersec insurance coverage. That alone is vital to an organisation's security posture.
💯1
Thomas O.
·
·
To be reliably secure against medium complexity attacks I'd argue that training and sims form a valuable part of defence in depth. If you can tune those low(er) cost services to deliver a, say, 30% benefit in reducing vulnerability to more targeted attacks like those targeting internal changes or vacation allowance (which suggest) a level of bespoke targeting, you're already delivering a very meaningful risk reduction for the business. Beyond that, it's careful access control design, containment and resilience, reduction in blast radius though tight permissioning, auditability of actions, etc, right?
Thomas O.
·
·
This is with my SoSafe cap off. Until recently I was myself very dismissive of security awareness training and thought of it as a compliance checkbox only, but in hindsight I was leaving available risk reduction on the table. Some training and sims are better than others, programmes can be rolled out and sustained differently to different effects. We're not going to revolutionise the behaviour of our peers with training and sims alone, but I definitely think they're still worth it.
👍1
Thomas O.
·
·
Fun fact from my deep past - I once ran a security culture programme for an organisation of about 6000 employees. I just about managed to double the average success rate for resilience against targeted phishing with a small but sustained effort over a year. The company subsequently got compromised regardless, but I'm confident that the improvement in secure behaviours saved us from other attacks, and after the compromise we got to enact some sweeping access control changes against risks we'd previously raised. 😉
💯1
Chris H.
·
·
Thanks for your thoughts and several good points Thomas which I'd largely agree with. Doing nothing is not an option right, so that's why I double your last statement (how huge would the attack surface/actual number of successful attacks be without any proper training measures? Hopefully most will never find out.). In my opinion the study really can and should be a starting point for further future research worth monitoring them, hopefully giving a few answers to the "Well, if this is true - so what else to do?" question.
💯2