Why Training Doesn't Mitigate Phishing

Study Finds Embedded Training Is Ineffective

By , January 7, 2014.
Eric Johnson
Eric Johnson

Listen Now

Read Transcript

Training that's designed to help workers avoid clicking on links from spear-phishing e-mails may be ineffective because employees often fail to read training materials, says Eric Johnson, a Vanderbilt University professor who's co-author of a new study on the subject.

And, workers' failure to understand the consequences of spear phishing has a financial impact. A Cisco analysis shows how a single spear-phishing campaign can generate as much as $150,000 in profits, vs. $14,000 for a mass phishing attack.

"My old friend [chief security officer] John Stewart at Cisco says all links want to be clicked," Johnson, dean of the Owen Graduate School of Management at Vanderbilt, says in an interview with Information Security Media Group. "There's just something in there, even for the most astute security folks. When you get a link that looks like it's real, looks like it came from a friend, has a compelling message, it's very hard to pull the finger back from the mouse."

As a result, even embedded training may not be working as intended, Johnson says, citing the research. Here's how embedded training works: An employee receives a staged e-mail with a questionable link. When the user clicks on the link, the employee receives instructions - the embedded training - that explain what the employee did wrong by clicking on the link and how the user should respond. This immediate feedback has been found in many areas to increase learning and retention of user training.

Johnson says using technologies for "ensuring they never receive the e-mail to begin with, warning them appropriately in the e-mail or by catching them as they click and preventing that connection from occurring" could be more effective than training. But baseline studies are needed first to determine how well existing embedded training works.

The new study, "Going Spear Phishing: Exploring Embedded Training and Awareness," which Johnson co-authored with Deanna Caputo and Jesse Freeman of MITRE and Shari Lawrence Pfleeger of the Institute for Information Infrastructure Protection and Dartmouth College, reveals that users were not actually receiving the training because they didn't keep the training page open long enough to read and learn from it. In the study, the authors describe their post-phishing interview results and present hypotheses about why users did not read the material and what this means for future studies of embedded training.

Future studies will investigate why the training was not read, and how to provide more effective feedback about the dangers of spear-phishing.

In the interview, Johnson:

  • Defines embedded training and discusses how widespread it is,
  • Explains why embedded training isn't always effective; and
  • Discusses possible solutions to get employees to not click on links in spear-phishing e-mails.

Before joining the Vanderbilt faculty last summer, Johnson served as associate dean for the MBA program and faculty director of the Glassmeyer/McNamee Center for Digital Strategies at Dartmouth College's Tuck School of Business. His teaching and research focus on the impact of IT on the extended enterprise. Through federal grants, Johnson studies how IT improves process execution, but also how security failures create friction throughout the extended enterprise. He also focuses on the role of IT in improving healthcare quality and reducing cost. He has authored patents on interface design and has testified before Congress on information security.


An earlier version of this story did not emphasize the point that failure of employees to read training material played a significant role in explaining why spear-phishing awareness programs don't always succeed.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Mitigating Nation-State Threats

Rather than taking specific steps to thwart potential cyber-attacks from nation-states,...

Latest Tweets and Mentions

ARTICLE Mitigating Nation-State Threats

Rather than taking specific steps to thwart potential cyber-attacks from nation-states,...

The ISMG Network