Effectiveness of and user preferences for security awareness training methodologies

Phishing is a primary vector used in cyber-attacks, and current technical measures are not sufficient to reduce their success to an acceptable level. Empowering users to identify phishing emails is crucial; thus, anti-phishing training is essential. We investigate participant phishing susceptibility in a 2 x 2 mixed factorial design to determine if instructor-led classroom training, in addition to a multiple approach video-, game-, and text-based training package, offers a significant difference in susceptibility reduction compared with the absence of classroom training. The results suggest an insignificant improvement in reducing phishing susceptibility by incorporating classroom training. Furthermore, we observe a significant preference from the participants for one training method (i.e., classroom training) only if a decision for one particular method was required.