Study concludes cybersecurity training doesn’t work (www.kpbs.org)
from yogthos@lemmy.ml to security@lemmy.ml on 01 Nov 2025 23:47
https://lemmy.ml/post/38383554

#security

threaded - newest

SpicyLengthiness@lemmy.ca on 02 Nov 2025 00:37 next collapse

I don’t believe this. It’s definitely helped me identify holes I didn’t know about. I’ve also had many coworkers who have found it beneficial. Even the ones that hate it, they just report every email with a link, and don’t click anything. Which is still better than clicking on phishing links.

PiraHxCx@lemmy.ml on 02 Nov 2025 00:56 next collapse

If it ain’t about hot milfs in my area I ain’t clicking no links on my emails.

Tenderizer78@lemmy.ml on 02 Nov 2025 01:24 collapse

That sounds like something that would be more effective if automated. All emails with links being sent to IT.

PiraHxCx@lemmy.ml on 02 Nov 2025 01:03 next collapse

<img alt="" src="https://lemmy.ml/pictrs/image/fd9c5d44-74d2-494f-9578-539427a84f8d.jpeg">

redsand@lemmy.dbzer0.com on 02 Nov 2025 02:04 collapse

And the training is bad. No one pays attention to know before’s bullshit click through EULA of a trainer.

People pay attention when engaged. Bring them to a meeting, have people compete to find fakes. Games work. Rewards work.

PiraHxCx@lemmy.ml on 02 Nov 2025 01:05 next collapse

It would be interesting if they collected (or displayed) other data… like: How happy people failing and people not failing were with the company?
Age range? Favorite music genre?
Do they use TikTok? Did they cry when Captain America picked Thor’s hammer in that MCU movie?

freedickpics@lemmy.ml on 02 Nov 2025 05:32 collapse

(From the linked study, not the article)

Annual Security Training: At UCSD Health, each employee must complete a standalone security awareness training once per year (with the material designed by KnowBe4).

When employees first join, the HR system automatically assigns an employee this annual security training to complete within a few weeks. Once a user has completed their training, the system automatically reassigns this training to the user after one year (365 days) has elapsed

I haven’t dug very deep into the study to see what the training actually involves but this sounds like something employees would just bullshit their way through as fast as they can. I don’t think this proves that training in general is ineffective but that it needs to be made more engaging and interactive

thebardingreen@lemmy.starlightkel.xyz on 02 Nov 2025 06:31 collapse

Agreed. I had a consulting gig once, actually doing cyber security for Meta. They made us take an automated training, part of which was listening to videos of Mark Zuckerberg talking unironically about how important privacy is to the culture of Meta. The thing is, they had no good mechanism for making sure you actually watched the video. You could just mute Mark and then keep an eye on the run time, because at the end there would be a quiz. Most of the quiz questions were super stupid intuitive like “A friend asks you to use your Meta access to do X to their profile for them, what should you do?” And then multiple choice, with a bunch of obvious bad answers like “Like just do it, it’s fine.”