The U.S. Postal Services received some frustrating news in early October from the Office of the Inspector General on the effectiveness of its security awareness training program.
An internal USPS phishing simulation campaign found that more than 25 percent of the 3,125 employees who were tested clicked on a phony link. What’s more, 93 percent of the baited employees didn’t report the incident to the USPS Computer Incident Response Team, according to the report.
The testing came less than a year after a USPS data breach that compromised the personal information of 800,000 employees, as well as some customers who contacted the government. The November 2014 cyber intrusion appeared to be caused by a phishing email attack, according to the report. USPS already had annual security awareness training available to all employees with network access.
Such discouraging results beg the question: How much security awareness training is enough before employees actually get it?
Malcolm Gladwell contended that 10,000 hours was the magic number for achieving mastery of a skill in his book “Outliers,” but who has that kind of time?
Sports psychologists suggest that motor memory for a new skill can be achieved with about 15 repetitions, but detecting sophisticated and often subtle phishing scams is much more complicated than memorizing plays.
“With motor memory skills, perfect practice makes perfect, and every repetition improves things, but when it comes to changing behavior, such as trying to keep people from being snookered by phishing scams, it’s a whole different kettle of fish,” says Dr. Gregg Martin, a cognitive-behavioral practitioner and a board certified neuropsychologist in Canton, Ohio. “If you tell a professional something more than two or three times, they tend to tune you out.”
The answer to how much repetition is needed before employees can consistently identify phishing scams and other online threats lies somewhere between once a year and constant reinforcement to the point of paranoia, according to researchers and security professionals.
A starting point
“I wish the answer was ‘five times,’” says Tom Pendergast, chief strategist for security, privacy and compliance at MediaPro, which provides security awareness training. “But in reality, it’s more about repeating training and phishing simulations until you’ve raised the general level of awareness, and sometimes even paranoia, to where people are really, really looking out for these [scams].
For starters, once-a-year security awareness training is probably not enough, psychologists say. Humans tend to halve their memory of newly learned knowledge in a matter of days or weeks unless they consciously review the learned material.
Carnegie Mellon University’s CyLab studied 500 people who where sent fake phishing emails one month apart. Those who clicked on the first email scam were immediately identified and given training on what to look out for in the future. One month later, the number of people who fell for the simulated phishing email dropped by 50%. Over three months, the failure rate was cut in half each time the test was given. The study, conducted in 2009, did not look at retention beyond three months.
Sign up for CIO Asia eNewsletters.