No surprise that Phishing Training Doesn’t Work!

Written By Peter Vogel

Darkreading.com reported that “A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren't having a material impact on employee cybersecurity. One of the most widely repeated, least examined memes in the cybersecurity industry is that, even more than technical solutions, organizations can best secure themselves by teaching cyber awareness among their employees. Building a "human firewall," to protect an organization's otherwise "weakest link."” The July 1, 2025 article entitled " We've All Been Wrong: Phishing Training Doesn't Work” (https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work) included these comments about “What Now for Anti-Phishing Efforts?”:

Dangerously adjacent to the awareness-first philosophy is the notion that employees are the problem. That if a breach happens, the house burns down, and lawyers come knocking, the responsibility might not lie with those at the top.

"This is what I think about a lot, actually, in my daily life and my research," Mirian says. "The question is: Do we ask the user to take on more of the onus? With training we're saying: 'Hey, you are responsible, you need to learn.' Or do we try to find a way for the system — the organization — to take on that onus? And my personal opinion is that, in general, security should always try to take the onus from the user."

Her study leaves open the possibility that certain, unexplored kinds of training could work, like more expensive, one-on-one in-person coaching. Companies might also consider how to incentivize employees to make cybersecurity a part of their jobs — for example, by giving them some financial stake in the company's future.

Or, more simply, organizations can invest in technical solutions to protect against the inevitable. "There could be better ways to spend the money, like focusing on hardware two-factor authentication (2FA) so that if you do get popped, there's an additional layer of protection," Mirian says. Whatever the solution to phishing attacks may be, she adds, "We're just saying the current methods aren't working."

No should be surprised!

Peter Vogel
Next

Malware-as-a-Service (MaaS) spreading on Microsoft Teams!