A lot of companies use cybersecurity training to prevent phishing attacks. A UC San Diego study says they should find a better way to protect their digital assets.
  • @freedickpics@lemmy.ml
    32 days ago

    (From the linked study, not the article)

    Annual Security Training: At UCSD Health, each employee must complete a standalone security awareness training once per year (with the material designed by KnowBe4).

    When employees first join, the HR system automatically assigns an employee this annual security training to complete within a few weeks. Once a user has completed their training, the system automatically reassigns this training to the user after one year (365 days) has elapsed

    I haven’t dug very deep into the study to see what the training actually involves but this sounds like something employees would just bullshit their way through as fast as they can. I don’t think this proves that training in general is ineffective but that it needs to be made more engaging and interactive

    • The Bard in GreenA
      32 days ago

      Agreed. I had a consulting gig once, actually doing cyber security for Meta. They made us take an automated training, part of which was listening to videos of Mark Zuckerberg talking unironically about how important privacy is to the culture of Meta. The thing is, they had no good mechanism for making sure you actually watched the video. You could just mute Mark and then keep an eye on the run time, because at the end there would be a quiz. Most of the quiz questions were super stupid intuitive like “A friend asks you to use your Meta access to do X to their profile for them, what should you do?” And then multiple choice, with a bunch of obvious bad answers like “Like just do it, it’s fine.”

    • @redsand@lemmy.dbzer0.comEnglish
      22 days ago

      And the training is bad. No one pays attention to know before’s bullshit click through EULA of a trainer.

      People pay attention when engaged. Bring them to a meeting, have people compete to find fakes. Games work. Rewards work.

  • @SpicyLengthiness@lemmy.ca
    12 days ago

    I don’t believe this. It’s definitely helped me identify holes I didn’t know about. I’ve also had many coworkers who have found it beneficial. Even the ones that hate it, they just report every email with a link, and don’t click anything. Which is still better than clicking on phishing links.

    • Tenderizer78English
      12 days ago

      That sounds like something that would be more effective if automated. All emails with links being sent to IT.

  • @PiraHxCx@lemmy.mlEnglish
    12 days ago

    It would be interesting if they collected (or displayed) other data… like: How happy people failing and people not failing were with the company?
    Age range? Favorite music genre?
    Do they use TikTok? Did they cry when Captain America picked Thor’s hammer in that MCU movie?