Does Security Training Work?

Episode 342 –

Go to 

This week on the podcast, we discuss a recently published research study from UC San Diego on the effectiveness of security awareness training on phishing prevention. After that, we discuss a security researcher's work on identifying vulnerabilities in four separate employee webapps at Intel. Finally, we end with our analysis of a Ponemon Institute research report called The State of File Security.

Share on LinkedIn Share on X Share on Reddit

View Transcript

In a discussion on cybersecurity awareness and training, hosts Marc Laliberte and Corey Nachreiner explore the effectiveness of security awareness training, referencing a UC San Diego study that found no significant impact on phishing susceptibility despite training. They discuss the importance of engaging training methods and the potential for AI to enhance security. Nachreiner also highlights the need for better compliance with security standards. The conversation shifts to a report by the Poneman Institute on file security, revealing that 45% of respondents fear insider threats, and only 39% are confident in file security when shared with third parties. The report also notes that 33% of organizations currently use AI for file security, with 29% planning to adopt it by 2026.

Action Items

  • [ ] @Corey - Analyze the effectiveness of security awareness training and its impact on employee behavior.
  • [ ] @Corey - Evaluate the Ponemon Institute's report on file security and identify areas for improvement in the organization's file management practices.
  • [ ] Review the research findings on vulnerabilities in Intel employee websites and consider potential mitigation strategies.

Outline

Efficacy of Security Awareness Training

  • Marc Laliberte introduces the episode's topics, including a research study from UC San Diego on phishing awareness training.
  • Corey Nachreiner admits to doing his cybersecurity awareness training late, highlighting the importance of timely training.
  • Marc shares that a recent study found no significant impact of security awareness training on employees' ability to spot phishing attempts.
  • The study involved 20,000 employees across the California Health System, with 10 simulated phishing campaigns and various training methods.

Challenges in Security Awareness Training

  • Marc explains that traditional annual training showed no significant difference in failure rates for employees.
  • Corey suggests that initial training might have an impact, but long-term effectiveness is questionable.
  • Marc notes that most employees spent less than a minute engaging with the training material, and many immediately closed the training window.
  • Corey emphasizes the importance of interactive Q&A sessions and forcing employees to complete the training to ensure effectiveness.

Impact of Training Platforms

  • Corey discusses the limitations of the study, suggesting that the training platform might not have enforced completion.
  • Marc agrees, noting that effective training requires active participation and follow-up.
  • Corey shares his experience with a popular cybersecurity training platform that includes simulated phishing emails and interactive Q&A sessions.
  • The discussion highlights the need for better-managed and enforced training programs to ensure effectiveness.

Long-Term Effectiveness of Training

  • Corey argues that initial training might have a significant impact, but long-term effects are minimal.
  • Marc and Corey discuss the potential for AI-based spear phishing to bypass traditional training.
  • Corey suggests that AI-based security systems might be the best defense against sophisticated phishing attacks.
  • The conversation concludes with a consensus that security awareness training is not completely ineffective but needs improvement.

Intel Employee Portal Vulnerabilities

  • Marc introduces a new research post by researcher Eaton, detailing vulnerabilities in Intel employee-only portals.
  • The researcher found four separate web applications with unauthenticated APIs and hard-coded credentials, allowing access to 270,000 Intel employees' data.
  • The first application, an employee business card ordering site, had an unauthenticated API that returned a full employee database.
  • The second application, a project management tool, had hard-coded credentials and weak encryption keys, allowing access to project information.

Additional Vulnerabilities in Intel Applications

  • The third application, a product onboarding site, had numerous hard-coded credentials and basic auth headers, allowing access to product information.
  • The fourth application, an environmental health and safety supplier site, had a bypassed authentication check, allowing access to employee information.
  • The researcher reported the findings to Intel's bug bounty program, but most issues were out of scope for the program.
  • Corey and Marc discuss the implications of these vulnerabilities and the importance of proper security measures in web applications.

State of File Security Report

  • Marc introduces the State of File Security report from the Poneman Institute, sponsored by Opswat.
  • The report highlights concerns about malicious or negligent insiders and file access visibility and control.
  • Only 39% of respondents were confident in file security when transferring to and from third parties.
  • The report also found that 52% of respondents primarily measure file management practices by the productivity of security employees.

AI and File Security

  • The report noted that 33% of organizations are already using AI for file security, with 29% planning to add AI in 2026.
  • Marc and Corey discuss the potential benefits and challenges of using AI for file security.
  • The report also found that only 25% of organizations have a formal generative AI policy, with many banning its use entirely.
  • Corey emphasizes the importance of balancing security with productivity and the need for effective AI governance.

Protecting Against File Security Risks

  • The report identified various methods for protecting against file security risks, including sandboxing, content disarm and reconstruction (CDR), and multi-scanning.
  • Corey explains CDR as a process of breaking down a document to its basic elements and removing any malicious elements.
  • Marc and Corey discuss the importance of using multiple layers of document malware detection in EDR and EPP products.
  • The conversation concludes with a discussion on the need for comprehensive and effective file security measures.
The 443 Home

Looking For More?

Secplicity logo

Secplicity - Security Simplified

Secplicity is a leading source of information about IT and business security. Our editorial team simplifies complex cybersecurity concepts, solutions and tools into easily understood and actionable information.

Learn more

red caution symbol standing on a red circuit board

Ransomware Tracker

The Ransomware Tracker is a dynamic, all-in-one hub for IT professionals, researchers, and cybersecurity-minded folks to learn about the entire ransomware landscape. This information-laden resource brings together WatchGuard Threat Labs' research with evidence from all over the Internet into one single convenient location.

Learn more

The 443 Home