A recent study performed on staff in a large hospital in the U.S.A. revealed an uncomfortable truth: phishing education often fails to change users’ clicking behavior.
So should we continue to perform such trainings? Let us reflect on it.
Malicious actors often use “phising” techniques to trick individuals into revealing sensitive information like passwords or financial details. Information that can be used for further compromising the target. It is often accomplished by the user clicking a link in an email sent to selected or many individuals.
While we now know that phising and similar attacks have reached new levels with the introduction of GenAI, it is surprising to see that even after training employees continued to fall for phishing attempts – at similar rates as before the training!
One can argue that this research is anecdotical, and it may be. The results could also indicate that the issue at hand is not just about knowledge but also about culture and context. Human behavior is often shaped by habits and norms at the workplace. Also stress can heavily influence your workday and in the long run – what links you click.
To truly reduce risk, organizations must foster a culture of attentiveness, safety, and shared responsibility. Training must be continuous, contextual, and supported by leadership. Security isn’t just a technical challenge — it’s a human one. And until we treat it that way, phishing and similar activities will remain a persistent threat for many organizations.
Read the full article here: UCSD Health.