CYBERSECURITYStudy Finds Smarter Way to Train Employees to Thwart Phishing Scams

Companies often send out simulated—or fake—phishing emails to employees to see who takes the bait and click. Those who fall for such scams typically receive an on-the-spot lesson meant to help them recognize suspicious messages the next time.

These phishing simulations—known as embedded training because once users fail, they are sent into training mode—are widely considered to be a “best practice” in the cybersecurity anti-phishing industry.

But new research co-led by University of South Florida’s Muma College of Business faculty finds that approach might not be the best way to help employees learn from their mistakes.

The findings were published in MIS Quarterly. The paper is co-authored by Dezhi Yin and Matthew Mullarkey of USF’s Muma College of Business, Gert-Jan de Vreede of Stevens Institute of Technology, and Moez Limayem, president and professor at the University of North Florida, who was selected this month to become USF’s president-elect.

The researchers identify two shortcomings associated with embedded training:

·  Instant feedback can be limited in reach. Only those who were duped received training, while those who passed may end up falling for a real phishing attack later, the research showed.

·  Catching employees at the exact moment of failure—known as “just-in-time” training—can be counterproductive. Such on-the-spot training can lead to negative reactions in employees who feel exposed and may become defensive.

Instead, the researchers recommend taking a non-embedded approach. By providing feedback to everyone after the entire simulation ends, the exercise turns into a broader and more positive learning opportunity, they found.

The study employed three large-scale experiments using a real phishing simulation platform. Thousands of students received realistic, but simulated, phishing emails . Some provided immediate feedback after clicking, while others provided follow-up messages days later. The team then tracked how likely participants were to fall for future simulated scams over the next several weeks and months.

“Giving feedback only to the people who clicked the ‘fake’ phishing email misses a big opportunity,” Yin said. “We found that employees learn better when everyone—even those who didn’t fall for it—gets a follow-up message explaining the phishing test.”

Among the study’s key insights, researchers discovered:

·  Sharing lessons with the entire group, not just those who got duped, helped people recognize scams more effectively and stay alert for months afterward.

·  Training does not need to be delivered at the point of failure to be effective. A time-delayed but more inclusive approach ultimately builds a better defense against real attacks.

“Phishing training companies can directly make use of our key insights in designing more effective software tools, and we heard that KnowBe4 is already doing that,” Mullarkey said.

The study’s findings could help companies strengthen their cybersecurity defenses as phishing scams grow more sophisticated and increasingly use artificial intelligence.

“Employees are widely considered the last line of defense in the anti-phishing training industry,” Yin said. “Non-embedded training provides a more effective alternative to fortify this last defense than the status quo.”