Cybersecurity training has become a ubiquitous practice in organizations worldwide, particularly in sectors where data sensitivity is paramount. Despite the widespread implementation of such programs, new research indicates that these efforts may have little to no practical impact on preventing phishing attacks—a pervasive form of cyber threat. A comprehensive eight-month randomized controlled trial involving over 19,500 employees at UC San Diego Health reveals that both mandated annual cybersecurity training and embedded, interactive phishing education fail to significantly reduce the likelihood of employees falling for phishing emails.
Phishing, the deceptive practice of sending malicious emails that impersonate trustworthy entities to extract sensitive information, remains the leading vector for cyber breaches. In fact, a 2023 IBM report identified phishing as responsible for 16% of successful cyberattacks, underscoring the critical nature of combating this threat. The healthcare sector, in particular, has been hit hard, with the U.S. Department of Health and Human Services reporting an alarming number of data breach incidents in 2023, including over 725 significant breaches affecting more than 133 million health records and 460 ransomware attacks.
The study focused on two contemporarily prevalent training methods: annual mandatory cybersecurity courses and embedded phishing training. The latter involves simulating phishing emails to employees, followed by immediate educational content for those who engage mistakenly with the test emails. While intuitively promising, embedded training demonstrated a negligible 2% reduction in the probability that recipients would click on phishing links. Even the completion of formal annual training bore no statistically significant correlation with reduced phishing susceptibility.
Behavioral analysis of the participants revealed a troubling trend regarding engagement with training materials. Approximately 75% of employees who received embedded phishing education spent less than a minute interacting with the corrective content, and a significant one-third exited the training immediately upon presentation. This superficial engagement likely contributes to the ineffective outcomes observed and challenges the assumption that exposure alone fosters behavioral change in cybersecurity vigilance.
The longitudinal nature of the trial uncovered an even more concerning escalation over time. Whereas only 10% of employees succumbed to phishing attempts in the initial phase, that figure rose dramatically, with more than half clicking on phishing links by the eighth month. This suggests not only a failure of training interventions but also a potential erosion of baseline security awareness over time or increased sophistication and relevance of phishing campaigns as they adapt.
An analysis of the differing effectiveness of various phishing email types underscored the complexity of human factors in cybersecurity. For instance, attempts to trick users with phishing emails masquerading as Outlook password updates were minimally successful, with a mere 1.82% click rate. Conversely, phishing lures themed around internal organizational updates, such as vacation policy changes, were alarmingly effective, with nearly one-third of recipients clicking the deceptive links. This highlights the importance of contextual relevance and social engineering principles that sophisticated attackers exploit.
These findings prompt a critical reassessment of organizational strategies aimed at mitigating phishing risks. The study’s authors advocate for a pivot away from primarily training-focused approaches toward robust technical countermeasures. They identify two particularly impactful solutions: universal adoption of multi-factor authentication (MFA) and deployment of intelligent password managers that enforce domain specificity. Both measures can substantially reduce the attack surface by preventing unauthorized access, even if user behavior is compromised.
The research was made possible through a confluence of support from academic and governmental sources, including funding from the University of California Office of the President’s “Be Smart About Safety” initiative and grants from the National Science Foundation. The study is emblematic of the growing demand for empirical, data-driven evaluations of cybersecurity practices, moving beyond conventional wisdom to scientifically validate what works and what does not.
The ubiquity of phishing as an attack vector necessitates rigorous and continuous examination of defense strategies. This study contributes to a growing body of evidence that training programs, as commonly designed and deployed, do not confer the expected protective benefits. It raises essential questions about how to engage users meaningfully, perhaps indicating a need for innovative pedagogical methods or integrating behavioral psychology insights into cybersecurity education.
Furthermore, the researchers’ use of randomized controlled trial methodologies provides a gold standard for measuring intervention efficacy. Such an approach ensures that observed effects—or lack thereof—are attributable to the training programs rather than confounding variables. As the cybersecurity community grapples with escalating threats, the value of rigorous experimental designs becomes undeniable in guiding policy and investment decisions.
Ultimately, these findings should serve as a wake-up call for organizations that have placed disproportionate faith in training as a silver bullet against phishing. While educational efforts remain necessary components of a holistic cybersecurity posture, overreliance may squander resources and provide a false sense of security. The future of phishing defense will likely depend on technological innovation, rigorous testing of intervention strategies, and a nuanced understanding of human behavior’s role in cybersecurity risk.
Subject of Research: People
Article Title: Understanding the Efficacy of Phishing Training in Practice
News Publication Date: 2-Aug-2025
Web References: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11023357
Image Credits: Ioana Patringenaru/University of California San Diego
Keywords: Cybersecurity, Computer science
