One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8641575 |
| Date de publication | 2025-01-23 09:32:14 (vue: 2025-01-23 14:07:43) |
| Titre | Training Efficacy: How to Maximize Learning from Phishing Simulations |
| Texte | As a cybersecurity administrator tasked with educating your entire organization, you face a significant challenge. Your mission is to train employees on the dangers of phishing and the increasingly sophisticated tactics employed by cybercriminals. So, where do you begin? For the past two decades, the standard recommendation has been a two-part educational strategy. First, provide training to explain key cybersecurity concepts. Then, follow up by assessing the effectiveness of that training through high-fidelity simulations. But after 20 years of relying on this approach, it\'s natural to ask: How effective is it? What works? And under what conditions do these interventions yield the best results? Early evidence from laboratory and real-world studies suggested that cybersecurity training and phishing simulations were effective for training non-experts (Kumaraguru et al. 2007). However, recent large-scale, real-world evaluations showed otherwise. These evaluations-which employed large sample sizes, random assignment and control groups-found almost zero efficacy for annual training and phishing programs (Lain et al., 2022; Ho et al., 2025). How can we explain this? A common explanation for this discrepancy is that laboratory findings often fail to translate to real-world settings. After all, lab experiments are controlled and contrived, sidestepping the messy complexities of actual workplaces. While this explanation is likely true, it barely scratches the surface. The reality is far more nuanced-and much more intriguing. This blog post explores findings from a recent study that evaluates the effectiveness of annual cybersecurity awareness training and phishing programs. By examining these results through the lens of cognitive and learning sciences, we reveal why these outcomes are not only unsurprising but also predictable. Finally, we\'ll provide actionable advice on how to move forward. Evaluating the foundational components In their article “Understanding the Efficacy of Phishing Training in Practice,” the authors evaluate two foundational components of cybersecurity awareness and training, which they refer to as: Annual cybersecurity awareness training. This training is typically in the form of a series of online videos that explain the various concepts of cybersecurity. Videos cover topics like the definition of phishing, what to look out for and how to report it. They also cover the consequences for falling for a scam. Training runs once a year, and it\'s usually given on the anniversary of the employee\'s hire date. Embedded anti-phishing training exercises. These exercises occur after a learner clicks on a link in a simulated phishing campaign. Now, we\'ll examine each of these components in greater detail. 1: Annual cybersecurity awareness training According to the theoretical frameworks and the empirical findings from cognitive science, how surprised should we be that a typical annual training only decreases click rates by 1.7% (Ho, et al., 2025; p. 9)? We would argue that it is not surprising at all. This is for two reasons. First, we all know that forgetting is unavoidable. In fact, it is such a pervasive and regular component of memory that cognitive scientists have built mathematical models that calculate the probability of remembering a piece of information at some time interval after initial learning. It is called the power law of forgetting. And it generalizes across many different topics and domains (Anderson & Schooler, 1991), including cybersecurity training (Reinheimer, et al., 2020). According to this law, it is expected that an individual will forget 78.7% of information after 30 days. Second, we also know that learning by watching a video is going to result in shallow learning if other learning activities, such as problem solving or applying the knowledge, don\'t accompany it. In many experiments, conducted both in the laboratory and in the classroom, the baseline control group either watches a video or reads a textbook passage. These groups often perform far bel |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 2 49 cognitive educational psychological 00076 1109/sp61157 111 120 1991 2007 2008 2009 2014 2015 2017 2017; 2020 2022; 2025 2025; 219 243 259 284 301 341 396 404 408 5th ability about above absorb accompany according accurately acm acquisti across actionable active actively activities actual addition additional administrator advice after again aldag alert aligns all allows almost alone also although amygdala anderson anniversary annual answer anti anxiety any applying approach approach: are argue article as: ask ask: asked aspects assessing assessment assignment authors awareness balance barely based baseline because been begin behaviors being beliefs below best better between bias bier bike blair blog both browser built but calculate called campaign can careful carnegie carvalho challenge challenging chi classroom click clicks cognitive collaborating collaboration collaboratively collaboratively: common compared completed complexities component components concepts conditions conditions: conducted conference consequences consider consistent contextual contrived control controlled corporate course cover cranor cranshaw critical crucial cues cybercriminals cybersecurity dangers data date days decades decreases deeper definition delay delivered demonstrated deploy deploying design designs detail development dialogues did differences different diminishes discrepancy distorts doi: doing domains don duezguen each early educating education educational effective effectiveness efficacy efficacy: either elements email embarrassment embedded emotional empirical employed employee employees empty engaged engagement ensures entire environment error essential evaluate evaluates evaluating evaluation evaluations event evidence examine examining example exercise exercises expect expected experiences experiment experimentally experiments experts explain explanation explicit explores face fact fail failed fails failure failures fallen falling far features feedback fidelity figure finally find finding findings first five focus focused follow following forget forgetting form forms forward forward: foster found foundational four framework: frameworks francisco from functions gains general generalizes generic genuine given going got grade greater group groups had happened has hausmann have heightened here high highlights hijack hire hong hooks hopping hosted hours how however human icap ieee immediate immediately impairs importance important impossible in cogsci in proceedings in sixteenth inbox included including increasingly indicators individual information initial insights instead instruction instructional intact integrity intended interaction interactive interference interval intervention interventions intriguing introductory intuition intuitively investigation isolation issues its jia july jumped just key kim know knowledge known koedinger kumaraguru lab laboratory lain large launches law lead learn learner learners learning learning@ lens less lesson life like likely link linking lofthouse logical look lookout lot lower make making manipulated many march marguerite marked material mathematical maximize mayer mclaughlin meaningful means measure mellon memory mentorship message messy metric metrics michelene might mission models moment moments mooc more moreover mossano most move moving much natural next nist non not note notification now nuanced number observed observing occur often once one ongoing online only opportunities opportunity organization original other otherwise out outcomes over overall overshadowed overshadows page page; parking part passage passed past peer perform perspective pervasive pham phish phish: phishing physics piece platform point possibilities post power practice predictable preserved previous privacy probability problem problems process produce programs progress proofpoint provide provided psychologist questions random rates reaction read reading reads real reality reasons receive received receiving recent recommend recommendation reduction refer references refers |
| Tags | Vulnerability Studies Conference |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.