Worth Reading – No surprise that Phishing Training Doesn’t Work!
Peter suggests that we should be looking elsewhere:
Darkreading.com reported that “A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren’t having a material impact on employee cybersecurity.
https://www.vogelitlawblog.com/2025/07/no-surprise-that-phishing-training-doesnt-work/
I would agree that pushing the onus for security to users is never going to be that useful. There’s no incentive for them to care. I am one of them, and my incentive is not being part of an IT team that has to clean up after a breach, more than wanting to protect the firm. I’m not trying to say I don’t take security seriously, but my interest is a more powerful incentive. As Peter rightly points out, employees don’t have any significant financial stake in the organization.
Given this, I can understand why security awareness training doesn’t move the needle. There’s one other thing, though, that I think contributes to its lack of success. Technology overwhelm. Every employee is probably learning about AI because their job demands it, learning new features after new features of the tools they use to do their job, learning new systems that get rolled out every year, and dealing with technological change at a ridiculous pace.
Then, we make them responsible for learning how to stay secure and deal with all of the hack attempts that may come their way, too.
It’s all too much. Most of your users aren’t going to put in that kind of effort, and a yearly reminder about data security isn’t going to help them keep up with the variety of risks that are out there. It might not be worth the money you spend on it.
Follow these topics: Security
