Evaluating organizational phishing awareness training on an enterprise scale

Employees are often the victims of phishing attacks, posing a threat to both themselves and their or-ganizations. In response, organizations are dedicating resources, time, and employee effort to train staff to identify simulated phishing attacks. However, the real-world effectiveness of these training effort s in large enterprises remains largely unexplored. To address this, we carried out a controlled experiment in an Israeli financial institution with approximately 5,0 0 0 employees. The experiment included three simu-lated phishing emails, and we examined how different factors influence the phishing Click-Through Rate (CTR). Our findings suggest that employees are more likely to engage with phishing simulation emails that use personalized phrasing. We also found that phishing CTR varies between business units, and that the timing of training before the simulated email did not significantly affect phishing CTR. Furthermore, it became clear that training prior to phishing simulations and adopting a data-driven approach that includes process, variable and measure analysis, can enhance organizational awareness of phishing. Al-though advanced technologies can mitigate some phishing attacks, our research indicates that employee awareness and proactive behavior will continue to play a critical role in the foreseeable future. The paper concludes by providing guidelines to information security officers on establishing effective organizational awareness to prevent phishing attacks.& COPY; 2023 Elsevier Ltd. All rights reserved.

Automated summary

Employees are often targets of phishing attacks, posing risks to both themselves and their organizations. To counter this, organizations invest in training staff to recognize simulated phishing attacks, but the actual effectiveness of these efforts in large enterprises is not well understood. In a controlled experiment with 5,000 employees in an Israeli financial institution, we found that personalized phrasing in phishing simulation emails increased employee engagement. The timing of training and the business units also influenced the phishing Click-Through Rate (CTR), highlighting the need for a data-driven approach to enhance organizational awareness of phishing.