New EU Study Proves Employees are an Organization’s Best First Line of Defense
A recent EU study supports Beauceron Security’s position that employees are an organization’s best first line of defense. Keep reading to learn the details of the study and how organizations can benefit from phishing their employees.
Basis of the Study
Researchers at ETH Zurich published a study in collaboration with an anonymous organization in December of 2021 where they tested organizational phishing over a period of 15 months from July of 2019 to October of 2020. A total of 14,733 employees from the anonymous organization participated in the study across 28 organizational groups and 3,827 teams. It is the first study of phishing of this scale and duration.
For the purposes of the study, participant data was analyzed and classified according to age, gender and computer use relating to their role in the organization. Participants were divided into 12 “user groups.” From July 2019 to October 2020, the organization sent 8 different simulated phishing emails to each participant. They received the first 6 emails in random order and at random intervals during the first year of the study, and the last 2 emails in the last 3 months. 5 emails contained a link to a phishing website, while 3 contained an attached file. These emails were not directed at specific employees or company roles but were based on real phishes targeting the entire company.
The study utilized the existing phishing awareness campaign the organization had been using with their employees prior to the experiment. Researchers had the organization send out 2 types of warnings on simulated phishes: short warnings that were “visually identical to the standard Outlook warnings already in place” and longer, detailed warnings that featured reasons why the email may be considered suspicious. Participants were then further divided into groups that received no warning at all for the simulated phishing emails, the short, standard warning and the modified longer, detailed warning.
Participants that fell for a phish were redirected to a training webpage that explained that the employee has fallen for a phish, what to look for in the future to identify a phish, an instructional video as well as quizzes and extra learning materials. The contextual or remedial training was completed voluntarily and participants that were redirected to the training webpage could choose not to use it.
The study was based around the following 4 questions:
Which employees are the most vulnerable to phishing?
How many employees will eventually fall for phishing emails through continued exposure?
How can organizations help employees in phishing prevention by using popular tools such as embedded phishing training and warnings on top of suspicious emails?
Can employees collectively help the organization in phishing prevention?
Results of the Study
The study found that participants clicked on 6,680 out of 117,864 simulated phishes. A little over 32% clicked on at least 1 phish, and 25.4% completed a dangerous action as a result. Researchers also found that the youngest employees aged 18-19 clicked on more phishes and performed more dangerous actions than any other age group. The top performing age group, the study found, was those aged 20-29 and 60+.
4,260 participants reported at least 1 phishing email during the study. Encouragingly, the button to report a suspected phish was also deployed to company employees not participating in the study who made use of the opportunity and reported suspected phishing emails even though this was not required of them.
Both short and detailed warnings greatly helped participants identify simulated phishes. When comparing the data, the group that received no warning clicked 3,964 times compared to 1,427 for the short warning and 1,289 for the detailed warning. Since the difference between the short and detailed warnings data shows no significant difference, it was concluded that a detailed warning would not significantly deter a user from falling for a phish.
It was also found that voluntary contextual (remedial) training does not help users identify phishes, as both the click rate and dangerous action rate were higher for participants who were redirected to the remedial training webpage. More research would need to be conducted to determine the cause of this result, but the voluntary nature of the training may have discouraged users from completing the training, as well as the unspecific nature of the training page in regard to the specific phish clicked as they were randomly assigned to participants.
The high and steady volume of reported phishes did not slow down as the study progressed and actually increased in the last months of the study when the two final simulated phishes were sent in close succession. The study concludes that as reporting the suspected phish was made easy with the click of a button, participants were motivated to report phishes and did not experience “reporting fatigue,” with 90% of participants reporting 6 or less simulated phishes during the study.
The study also found and supports our stance that employees are an organization’s first and best line of defense against cyberattacks. Within 5 minutes of launching a phishing campaign, the study found that an average of 10% of participants reported the phish, with 30 to 40% of participants reporting it in half an hour.
Click here to read the full study.
Interested in learning how Beauceron Security can help empower your workforce to be the best first line of defense against cyberattacks? Click here to read our whitepaper on Anti-phishing Training.
Did you find this blog helpful? Make sure to share it with your teams and colleagues to foster a positive and knowledgeable cybersecurity culture.