Memory fades. But how fast? Within six months, at least regarding cybersecurity protocols, according to a study of how long employees retained the security measures they had learned.
In “An Investigation of Phishing Awareness and Education Over Time: When and How to Best Remind Users,” researchers who studied 409 employees found that they were able to identify which emails were legitimate and which were phishing immediately after a security awareness and education program was conducted, and even four months after. But after half a year had elapsed, that was not the case.
Such programs ordinarily include raising awareness of the threat cyber criminals pose and providing knowledge about security, such as how to identify attacks, reduce the risk of being the victim of an attack and whom to contact to ask questions and report incidents. But their “effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question,” write Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, Reyhan Duezguen and Melanie Volkamer of the Karlsruhe Institute of Technology; Bettina Lofthouse of Landesamt fur Geoinformation und Landesvermessung Niedersachsen; and Tatiana von Landesberger of the Interactive Graphics Systems Group, Technische Universitat Darmstadt.
Of course, no one wants an attack to take place; however, the irony of not being attacked is that it may heighten the risk if a cyber attack does come, since employees’ cyber security skills may have become rusty from lack of use, the researchers suggest. “If employees are never, or only rarely, confronted with attacks that are included in a security awareness and education program, the acquired awareness and knowledge might dissipate over time, as is the case with any other awareness and knowledge programs.”
The stakes of this are high, they suggest: “While waning of awareness and knowledge is to be expected, it poses a problem to the maintenance of organizational security.”
They argue that “it is crucial to know: (a) when awareness and knowledge levels should be renewed, i.e., how long the effect of a security awareness and education program can be expected to last, and (b) which type of measures are best suited to restore users’ awareness and knowledge.”
The Tutorials
The employer opted to hold on-site tutorials that were three to four hours long to groups of 40 employees. The tutorials covered three topics:
- general security awareness;
- phishing; and
- password best practices.
The portion that concerned phishing was in two parts; one provided general information about phising, and another that discussed ways to check plausibility of emails and how to identify dangerous files and the tricks that cyber criminals use.
Measuring and Improving Retention
The researchers collected data just before and just after on-site security tutorials were presented to employees, and then again four months after. They then measured it again at six months, and found that the tutorials’ impact had worn off.
The researchers then developed “reminder measures” to refresh employees’ knowledge and awareness. They tried measures that presented content in text, in a video, and using interactive email examples. They evaluated the success of these reminders immediately after their use and again six months later.
The reminder measures included:
- text content with explanations concerning the structure of URLs and linked URL displays in status bars or in tool tips;
- text content that focused on suggestions for detecting phishing messages;
- interactive examples of phishing emails that reveal information about portions of an email when the user hovers a cursor over them; and
- a video that provides visual and audio explanations concerning the structure of URLs and linked URL displays in status bars or in tool tips.
The researchers found that the interactive reminder measure and the one entailing a video were the most effective; they found that that six months after the use of those reminder vehicles—one year after the initial tutorial—the awareness and knowledge levels of the employees who had received the material in those manners “were still significantly higher” than were the levels of other employees.
- Log in to post comments