Effectiveness of awareness training: phishing simulation as a means of choice?

awareness training
Phishing simulations are now used in many organizations for security awareness training. Although they need to be handled with care, many information security officers (IT SIOs) and CISOs choose to use them anyway. Why?

Phishing simulation as part of awareness training

Phishing simulations are sometimes discussed controversially. Poorly prepared phishing simulations can be problematic. Nevertheless, scientific studies such as Linus Neumann's at CCC 2019 have come to the conclusion that phishing simulations have positive effects on the security behavior of employees and represent an important component for awareness training.

In this blog post on a customer fail story, we have already described the main challenges and lessons learned when using phishing simulations. Before you tackle the topic, we advise you to read this blog post first, because with the tips described you will be on the safe side.

Based on the findings of scientific research, we at IT-Seal have also been using spear phishing simulations as a building block in our automated awareness training for years. Time and again, we have been able to expand the state of research, gain new insights, and thus optimize the flow and content of the awareness trainings. Today, we are reluctant to do without the phishing simulations, as the advantages and strengths of this component can hardly be balanced with other learning methods.

5 good reasons for phishing simulations in the context of awareness training

With the direct concern of the clicking user on a simulated phishing email, the mindset can be "I am not attacked anyway" best overcome. Live hackings go in a similar direction, but operate in an artificial environment that users rarely transfer to their everyday lives. As a result, phishing simulations provide a strong basis for strengthening a company's security culture. Once employees, executives and management have clicked on a phishing email, they better understand the importance of awareness training. This subsequently increases the willingness to engage with further learning content and to recognize and value the significance and importance of IT-SiBe.

The moment of learning after clicking on a phishing email can be used to deliver interactive and relevant learning content in a moment of high motivation and attention. For example, a well-done awareness training session will once again display the phishing email that the user just clicked on. The user can then go through the phishing email step by step at their own pace to learn how to expose the attack next time.

Thanks to the minimally invasive training, users only have to spend a small amount of time on awareness training. Users can concentrate fully on their actual work and invest only one to three minutes, if necessary, to learn from their mistake and react correctly the next time a potentially real attack occurs.

Phishing simulations integrated into everyday life lead to users keeping their attention high and activating the skills learned at the moments when they are needed. Instead of training the skills in artificial settings (e.g., e-learning or online seminars) and then transferring them to the context of the e-mail inbox, they are trained directly in the right context and repeatedly sharpened.

In addition, theresults can be measured and compared in a standardized way. For the first time in IT security, it is thus possible to really check and prove how secure a company is - where weaknesses lie, whether the current level is sufficient, and what progress has been made. This key figure is not only important for the IT SiBe and its planning, but is also essential for communicating with employees, managers and the executive board. This makes it easy to explain why it is important to continue to invest money in the issue, impose technical restrictions, and allow a few minutes for each user to do so.

Establish security culture: Considering the context of awareness training

Awareness training ultimately always aims to change the behavior of users and achieve greater security in the company. To achieve this sustainably in everyday life, not only awareness training but also a sustainable security culture is necessary.

A good security culture must reinforce the right mindset of the user and skillset, and provide usable and secure tools and processes within the organization. Phishing simulations shape the mindset and skillset of users in a sustainable way to induce secure behavior. In combination with a Reporter Button, simple and reliable processes can also be implemented to embed secure behavior in everyday life.

It is clear that phishing simulations alone are not a panacea. The mindset, skillset and toolset must be sharpened through various channels. Training concepts consisting of classroom training, online seminars, awareness materials, phishing simulations, e-learning modules and short videos are therefore a standard part of any awareness training. The right use of the strengths and advantages of the different learning modules ensure that an awareness program is successful.


About IT-Seal:

The IT-Seal Awareness Engine takes all this into account and provides a simple and reliable workflow to train your users on demand and reliably. Within the Awareness Academy, IT security managers can select their target level - the Awareness Engine then takes care that the level is reached and maintained permanently.

Do you need assistance with awareness training or would you like to get more information about our phishing simulation? We are happy to help: Make an appointment!

Erfahrungen & Bewertungen zu IT-Seal GmbH