Most companies fell a victim of a phishing attack. In fact based on the latest dbir report ~40% of all attacks uses phishing. Almost every security professional will tell you that you need to have security awareness campaigns to educate your users. Apparently, everybody agrees that user training is key to avoid security breach. Despite that attackers use phishing very successfully in most of their operations. Many of their victims conduct regular awareness training using top providers. One can wonder how is this possible. Can we say that they did not do a good job in education? How can they be that careless?
Spotting a phishing email is hard. It meant to be hard as attackers spend time and money on disguising them well. In order to successfully breach a company one opened malicious link is enough. Moreover, the way humans process information is on their side as well. Daniel Kahneman received a Nobel price for his work on the psychology of decision-making. He identified to separate decision making mechanism working side by side in everybody. He called these systems, system 1 and system 2. System 2 is the conscious decision maker, the one used to solve complex problems.
Everybody has a limited amount of capacity to make well thought through decisions using system 2. Once your cognitive capacity is exhausted with a task a system 1 takes over control. System 1 is good at making quick decisions based on schemas. Clicking on the malicious link in an email is often time the result of this instilled schema. People opening that bad link didn’t make a conscious decision. In many cases, they could have spotted the signs if they spent time on analyzing the email using system 2. However, it’s unreasonable to expect them to analyze every email they receive using their limited capacity system 2. No matter how much awareness training you give them, and how hard they try, you can’t change the way people process information. And spotting that malicious email is beyond the capabilities of most people’s system 1.
At one organization we conducted a phishing test on security professionals. These professionals are trained to be resistant to attacks. Most of them fell for well crafted emails. Even when they new that they are being tested only 1 out of 10 was able to find all malicious emails from the set of 10 emails.
Is security awareness is useless? Far from it you should absolutely instill knowledge to all employees how to make better security decisions. However, you should focus on topics where people use conscious decisions. They should know what process they need to follow to report incidents and what information is sensitive etc., however, don’t expect them to protect your organization from a phishing email. Automated tools are better suited to address these challenges. If you want to learn more about phishing attacks and how to counter them come to one of our in-depth training.