Safety awareness and phishing programs are quickly forgotten and employees need to be retrained after about six months, according to a paper presented at the USENIX SOUPS security conference last month.
The purpose of the paper was to analyze the effectiveness of long-term phishing training.
Taking advantage of the fact that German public sector organizations have to go through compulsory phishing training programs, academics from many German universities surveyed 409 of the 2.200 employees of the State Geoinformatics and State Research Service (SOGSS).
The researchers tested the effectiveness of phishing training over time, with periodic tests at regular intervals to determine when employees of SOGSS will lose their ability to detect phishing messages.
Employees were divided into multiple groups and tested every four, six, eight, ten and twelve months, respectively, once trained in one program phishing training.
The research team found that while participants in research were able to properly detect phishing emails even after four months of initial training, this did not happen from six months onwards, Companies to retrain their employees.
The researchers also created their own "reminders" to "replace the sensitization and employee phishing knowledge ", which they used to train employees after their investigation - six to twelve months later.
"We have developed four different programs," the academics said. “Four programs were distributed in four groups (one per group): (a) text, (b) video, (c) interactive examples and (d) a short text.
"Twelve months after seminar, we compared the knowledge retention of the four groups. Among the four different tests, the video and interactive examples performed best, with an impact lasting at least six months after training. ”
Academics have concluded that while employee training in phishing emails can help organizations prevent attacks, this training should be cyclical, with repetitive training sessions, ideally every six months, and using interactive examples or videos.