The Definitive Guide to Security Awareness Training in 2023

Types of Phishing Simulations

Broadly speaking, all phishing simulations (regardless of their content) fall into one of three categories:

1. Link Phishing Simulations
2. Attachment Phishing Simulations
3. Data Entry Phishing Simulations

Each category speaks to the goal of the phishing simulation, which gives insight into the unique susceptibility of an individual or the overarching vulnerability of a group.

For instance, the goal of a Link Phishing Simulation is to convince a user to click a link. Whereas the goal of a Data Entry Phishing Simulation is to convince a user to click a link, then enter data into a convincing landing page (such as a Microsoft 365 login page).

Failure Rate by Phishing Simulation Type

In 2021, more people fell for Attachment Phishing Simulations than Link or Data Entry Phishing Simulations.

That said, these results must be taken with a grain of salt, because they reflect the average result of millions of phishing simulations sent to hundreds of organisations.

The results of a single organisation (or even individual) may vary greatly – influenced by factors such as industry, geography and even organisational culture.

When thinking about your own security awareness training program, it is important to consider your organisation in isolation of others.

Start by benchmarking all staff with the same phishing simulation template. Then, if you are manually building your own program, be sure to review the results of the group over time to schedule simulations and training that best suit the unique vulnerabilities of your team.

If you are using an automated platform, it should handle this tweaking and adjustment for each individual, according to their own susceptibility traits (such as topic, device, time of day, day of the week and so on).

Failure Rate by Industry

A benchmark report produced in 2022 compared more than 30.1k organisations across numerous industries. Organisations were grouped by size:

1. Small: 1 to 249 employees.
2. Medium: 250 to 999 employees.
3. Large: 1000+ employees.

To begin with, none of these organisations had any security awareness training program in place.

And of all organisations, the highest failure rates were observed in large organisations in the following industries:

1. Insurance (52.3% failure rate).
2. Consulting (52.2% failure rate).
3. Energy and Utilities (50.9% failure rate).
4. Healthcare and Pharmaceuticals (45% failure rate).
5. Banking (43.5% failure rate).

After one year, the picture was much different. Average failure dropped significantly across all industries, from an average of 32.4% down to 5%.

Results like these show the power and benefit of implementing organisation wide security awareness training.

They can also help you enrich your reporting by comparing your organisations’ results against those of your peers.

Phishing Susceptibility

Recent research from the University of Waterloo found there are three cognitive traits that moderate one’s susceptibility to phishing:

1. Risk-taking Propensity: This is our inclination to take risks.
2. Cognitive (Inhibitory) Control: This is our ability to control impulsive decisions.
3. Social Cognition: This is the way we process, store and apply information about other people and social situations (source).
4. Suspicion/Scepticism: This is a general attitude of doubt or questioning (source).

Of the three traits, Cognitive (Inhibitory) Control has the most direct impact on the susceptibility of an individual.

This is why ‘report phishing’ features are so valuable.

When staff are in the habit of reporting suspicious emails, they learn to be more sceptical of the emails they receive. They actively look for signs of phishing before compulsively (or even absentmindedly) clicking links, downloading attachments, or following nefarious directives (such as paying invoices to scammers).

Simulation Realism and Authenticity

Oftentimes, the people responsible for implementing security awareness training programs like the idea of phishing simulation templates that accurately portray emails sent by well-known brands.

It is true that these simulation templates tend to have higher failure rates. In fact, we recently sent a hyper-realistic Spotify simulation to a client. 80% of staff opened the email, and 100% of staff who opened the email clicked the link.

However, not all simulations need to accurately represent a well-known brand to be authentic and trip up employees.

In fact, research shows that 9 of the top 10 trickiest phishing simulations are simple text-based emails from HR that address company policies (such as changes to dress code, holiday leave, bonuses, social media and code of conduct breaches).

With this in mind, ‘realistic simulations’ are not just beautifully branded emails, but any email that a staff member is likely to take seriously and engage with.

So, your phishing simulation library should include emails that look like they come from the big brands (especially gift card offers), but it should also include those ‘company policy’ type emails.

Note: There’s some nuance here. Most people aren’t going to have advanced phishing detection skills, especially in the first 4 to 8 months of your program. So as much as hyper-realistic simulations are important, it’s okay (and ideal) to have simulations that are more obviously fake. This empowers people who aren’t as skilled because they get the psychological benefits of positive reinforcement when they successfully identify a phishing simulation. Sending simulations that match each person’s capability level is easy if you use an AI-driven security awareness training platform.

Business Email Compromise and Spear Phishing

Business Email Compromise (BEC, or “Spear Phishing”) is where an attacker targets a specific person, rather than a group.

In BEC attack, the scammer impersonates a trusted another person or entity (such as a colleague, client, or key supplier), often by sending the target an email from a fake or compromised email address.

Did you know that in 2021, 79% of organisations (globally) experienced BEC attacks. Why? Because they work.

The APWG Phishing Activity Trends Report for Q1 2022 shows that gift card requests made up 63% of all BEC attacks, followed by payroll diversion attempts (16%) and wire transfer schemes (9%). The remaining 12% was made up of miscellaneous methods.

So how do you give staff the knowledge to identify spear phishing emails before they do harm? By building them into your security awareness training program.

Modern and sophisticated security awareness training platforms offer the ability to upload your company email signature and autonomously send spear phishing simulations from one person to another.

They can even use the department that a person belongs to (such as Finance or HR) to send highly relevant and believable spear phishing emails. For example, a spear phishing email might be sent from an employee in Finance requesting the review of an invoice, or a spear phishing email from an employee in Marketing requesting the approval of a budget.

But protection against spear phishing requires more than having a security awareness program in place.

Internal processes should be established to ensure every request for a transfer of money is verified by more than one person before the transfer is executed. Part of the verification process should happen outside of email, to circumvent mailboxes that have been compromised.

Dynamic Phishing Simulation Difficulty

Until recently, most security awareness training platforms worked by sending the same emails to all staff. While this is useful for benchmarking groups of people, it doesn’t help to drive long term engagement.

This approach disengages people who are proficient at identifying phishing emails, because they see through the tactics and are less likely to see the value in the program.

It also disengages people who are particularly vulnerable because their experience of the program is one of continuous failure with no positive re-enforcement.

To drive engagement, sophisticated security awareness training platforms are now using artificial intelligence and machine learning to:

1. Continuously assess the susceptibility profile of each person; then
2. Send phishing simulations (and training) that is uniquely adapted to their strengths and weaknesses.

For example, the program we offer our clients can accurately identify the days of the week, time of the day, device and even the topics that catch each person the most.

Teachable Moments

Everyone in your organisation needs to know that they are just as susceptible as anyone else.

In fact, research shows that those who don’t realise this are even more susceptible. A paper from New York University found that people tend to underestimate the likelihood of falling for a phishing attack. This attitude results in overconfidence and increased vulnerability (source).

The question is, how do you show someone that they are at risk too?

Best-in-class security awareness training platforms can not only alert users when they click on a phishing link, but also show them how they could have identified an email as suspicious.

This approach makes every failed phishing simulation a teachable moment. Not only do users learn how to correct their own mistakes, but they also learn that they are vulnerable. This minimises overconfidence, and helps to drive a phishing-aware culture.

Training Distribution and Coverage

If you’re serious about reducing the risk of phishing and ransomware, then it’s critical that everyone in your organisation is part of your security awareness training program.

2021 survey data that captured responses from more than 4000 working professionals showed that 99% of organisations have some form of security awareness training program, but only 57% of them deliver organisation-wide training programs. What’s more, only 85% of these organisations educate employees who fall for real or simulated attacks.

This is problematic, because in 2022 the average failure rate for organisations of all sizes and industries was 32.4%.

Equally, other research from 2021 has shown that successful training programs can drop failure rates from 50% to 16% after 6 months, and 5% after 12 months.

Practically, that means that staff go from clicking on 1 in every 2 phishing simulations to 1 in 20 after only 1 year.

So, what does this tell us?

Staff who aren’t part of your security awareness training program are many times more likely to fall for phishing attempts, and will become soft targets for adversaries.

Training Length and Frequency

Many organisations structure their security awareness training programs around a few focused training sessions each year.

Unfortunately, research shows that this approach is ineffective for knowledge retention and can leave your business wide open to phishing attacks.

That’s because security awareness training should be both concise and continuous.

Hermann Ebbinghaus was a German psychologist who wanted to understand forgetfulness, and how to retain knowledge. Through his research, Ebbinghaus proved a few things (some of which may feel intuitive to you) that had not been scientifically understood, namely:

1. Memories weaken over time.
2. Most information is forgotten soon after it is learned.
3. Meaningful information is memorable.
4. Presentation of information affects learning.
5. Emotions affect memory.

This research gave rise to Ebbinghaus’ “Forgetting Curve”, which shows how knowledge is lost over time.

To overcome the Forgetting Curve, security awareness training should be issued in short, repetitive bursts, spaced out over a long period of time.

This learning strategy is referred to as ‘Distributed Practice’ (also discovered by Mr. Ebbinghaus).

Each time the learner reviews the information, their knowledge is ‘refreshed’, and they retain more information than if they never had the opportunity to re-visit the material.

Match Training Content with Learning Preferences

Security awareness training programs should give learners the best opportunity to retain knowledge by presenting different types of training content.

As individuals, we each have our own unique learning preferences. These preferences can be thought of in terms of the four ‘VARK modalities’:

1. Visual: space, graphs, charts, diagrams, maps and plans.
2. Aural (hearing): discussions, stories, guest speakers, chat.
3. Reading/Writing: lists, notes and text in all its formats.
4. Kinaesthetic (doing): senses, practical exercises, examples, cases, trial and error.

VARK research has surveyed more than 237k people to find that 54% of people say they learn through only one or two of the four modalities.

This means that security awareness training programs that offer training content in only one or two modalities are unlikely to provide effective education for everyone.

Interestingly, most people have a preference toward the Kinaesthetic modality than any other.

This is another reason why Teachable Moments are so important.

Report Phishing Emails

Any mature security awareness training platform should give users the ability to report emails they think are suspicious.

Broadly speaking, this works by showing a ‘report’ button in the user’s email client (e.g., “Microsoft Outlook or Google’s Gmail”). More mature security awareness training platforms will also offer the ability to integrate their reporting feature into the standard

When a suspicious email arrives, the user clicks the report button and receives instant feedback.

If the email is a phishing simulation, the user should be given immediate and positive feedback. This feedback rewards them for successfully identifying a phishing simulation, and reinforce the behaviour of reporting suspicious emails.

If the email is not a phishing simulation, the user should be warned that the email they reported could be harmful and the IT team should be notified to inspect the email.

This feedback loop is critical for engaging staff and fostering a culture of healthy caution and scepticism.

Through this mechanism, staff will use the knowledge they’ve gleaned from your security awareness training program to actively protect your business.

Handling Real Phishing Emails

But how should you handle all those potentially dangerous emails that staff have reported?

When suspicious emails are reported, they should be reviewed by IT professionals with cybersecurity expertise.

Ideally, the security awareness training platform should offer tools that enable a simple review workflow, such as:

1. AI-based threat analysis on each email to help the IT technician determine (with statistical probability) whether the email is genuine phishing.
2. Simple actions to mark the email as a true or false positive.
3. Automated workflows that inform the user depending on how the email has been classified.

If an email has been classified as a ‘false positive’ (not a phishing email), the user should be notified and thanked for reporting the email.

If an email has been classified as a ‘true positive’, then:

1. The platform should notify the user and request they delete the email; or
2. The IT technician should delete the email on behalf of the user, and the platform should notify them of the action that has been carried out.

Use a highly automated security awareness training platform

There are numerous security awareness training platforms on the market right now.

Most platforms offer the same set of core functionality (phishing simulations, training and reporting) but implement them in different ways.

Broadly speaking however, these platforms can be separated into three groups:

1. Manual: You select the phishing simulations and training modules, which are sent to users on a schedule of your choice (monthly, quarterly etc.). The upside is that you can tailor the education approach to the needs of your organisation. The downside is that it takes lots of effort to get started, and individuals aren’t given the training they specifically need to learn and grow.
2. Automated (with limited intelligence): Hands-off. The platform selects and sends phishing simulations and training modules to users on a schedule of your choice. The upside is that it takes almost no effort to run your program because the software does it for you. The downside is that all staff receive the same simulations and training, regardless of their knowledge. This means most people will receive phishing simulations and training that is either too hard, or too simple.
3. Automated (with behavioural AI): This is the same as the Automated approach, but with clever AI that sends simulation and training content that suits each individual. This means that there’s very little effort for you to manage your program, and users are given material that is meets them where they are in their unique learning journey.

Integrate with existing staff on-boarding and exiting processes

Staff should be enrolled in your security awareness training program the moment they join your organisation.

But the process of adding them to the program must be seamless and simple for your IT team. If not, you risk the task not being completed every time someone joins.

Usually, when a new starter joins your organisation, your IT team will create an account for them in your user provisioning service (such as Microsoft Active Directory or Google Workspace). Once their account is created, they are likely added to one or more ‘security groups’ that determine their system access and file permissions.

This act of adding a user to a security group should be all that is required from IT to enrol a new staff member into your program.

But how is this achieved?

By integrating your security awareness training software with Microsoft Active Directory, Google Workspace or other identity providers (such as Okta).

Don’t fall for the trap of having to manually upload staff profiles with a spreadsheet. Take it from us, it won’t happen.

And by using this integration approach, you’ll also bring other important meta data about the user into your platform (such as title, department, office location, phone number etc.).

Why does this matter? Because not only can this data be used to enrich your reporting, but AI-powered security awareness platforms will use it to improve the phishing simulations sent to and from staff in your business.

Finally, integration also helps when the time comes that the staff member leaves.

The moment their account is deactivated in your user provisioning system, they’ll also be deactivated in your SAT software – instantly saving you from spending money on unnecessary licensing costs.

Have a training workflow for newly on-boarded staff

When staff first join your organisation, they won’t have had the benefit of your security awareness training program.

This knowledge gap is a dangerous cybersecurity vulnerability, so you need a way to close it as quickly as possible.

One of the best methods for doing this is to ensure that new staff are put through ‘sprint’ of short and concise training modules that cover the basics of security awareness.

The course should offer one module per week for 8 to 12 weeks, answering questions such as ‘What is phishing?’, ‘How dangerous is phishing?’, ‘What is spear phishing’ and more.

The short course should take place over approximately 3 weeks and will give new staff a better chance to identify a phish and protect your IP.

This approach should be possible with most security awareness training platforms, but only some of them will offer this as an automated workflow.

Benchmark your company-wide phishing knowledge

AI-powered security awareness platforms send different emails to each staff member, based on their unique susceptibility profile (the topics, devices and even days of the week that they’re most susceptible).

If you’re using a solution like this, it’s often helpful to send the same phishing simulation to the entire company once every quarter. When we do this for our clients, we aren’t looking at the results of each person. Instead, we are doing this to measure and report on the overarching security awareness of the entire organisation.