For years, one refrain has been repeated in the world of cyber security: employee education is the key to fighting phishing. Companies invest in online training, simulated campaigns and testing, believing that this will significantly reduce risk. However, a recent large-scale study by researchers at the University of California, San Diego, shows that this belief may be way over the top.
Findings from an experiment involving more than 19,000 participants indicate that the effectiveness of training programmes is much lower than the market promises. This does not mean that training does not make sense – but rather that it should be treated as a complementary element, rather than a central pillar of a safety strategy.
A study that changes the narrative
A team of UC San Diego researchers conducted an eight-month study in the healthcare sector, engaging employees in different types of training. Scenarios included simple error messages, static educational information and more extensive, interactive contextual modules.
The result was surprisingly modest. Regardless of the method chosen, the average improvement in phishing recognition performance over the control group was just 1.7%. In practice, this means that traditional programmes do not generate a clear difference in user behaviour – at least not at the level expected by companies investing in education.
The myth of “miracle training”
Over the past decade, the security training market has been growing consistently, fed by the belief that the right e-learning modules can significantly reduce the risk of phishing attacks. Numerous companies offered programmes that were supposed to ‘change the habits’ of employees and dramatically reduce incidents.
Meanwhile, the survey results show that the ‘miracle training’ narrative is not strongly supported by the data. Effects do exist, but they are much smaller than expected. The problem is that many organisations treat training as the main, and sometimes only, tool for protection, creating a false sense of security.
Phishing as an art of social engineering
One of the most interesting findings of the study was that the effectiveness of phishing depends more on the content of the bait than on what training employees have received.
While a small percentage of participants were fooled by fake emails related to Outlook accounts, as many as around 30 per cent clicked on messages related to holiday policy or dress code. This shows how strongly attackers use the organisational context and how difficult it is with training to prepare employees for every possible manipulation.
The conclusions are simple: attackers adapt their methods quickly, choosing topics that are closest to the day-to-day concerns of employees. Training, usually based on repetitive scenarios, cannot keep up with this dynamic.
Why training fails in practice
A second reason for the low effectiveness of the programmes is the behaviour of the users themselves. The study found that many participants simply ignored the educational material or went through it so quickly that they had no real chance to assimilate the content.
This is not only a problem of lack of motivation. In practice, online training courses tend to be treated as a bureaucratic chore to be ‘ticked off’ rather than a valuable source of knowledge. Added to this is the often unengaging format – boring tests and repetitive modules that do not build any lasting habits.
The new role of training
So can phishing training be considered useless? Absolutely not. Researchers stress that their role is still important – only that the effects need to be realistically assessed and measurable goals set.
Rather than believing in a radical improvement, companies should expect incremental changes: a reduction in the number of clicks on dangerous links, an improvement in the speed of reporting suspicious messages or greater awareness when opening attachments. In this context, training can act as a complement to other tools, not as a miracle cure for phishing.
At the same time, organisations should be more demanding of educational programme providers, demanding evidence of effectiveness backed up by research, not just marketing promises.
Multi-level defence
The study’s conclusions are part of a broader trend in cyber security: effective defence requires a multi-level approach.
In addition to training, technical solutions are needed – from anti-phishing filters and anomaly detection tools to systems that automate incident response. It is also important to regularly update systems and build an organisational culture in which mistakes are not a reason for punishment, but an opportunity to learn.
The latter may be particularly relevant. The study showed that, over an eight-month period, half of the participants had been fooled by at least one attack. Punishment for such a mistake will not improve the situation – but analysis of the incident and constructive lessons learned can significantly raise awareness.
Less illusion, more resilience
For years, the phishing training market has lived with the promise that all it takes is the right dose of education to close the door on social engineering attacks. Data from the largest survey to date shows that the reality is more complex.
Companies should not give up on training, but they need to stop treating it as a golden mean. Realistic expectations, combined with technology and organisational culture, offer a much better chance of building resilience than believing in miracle e-learning programmes.
