Key takeaways
- QR phishing attacks surged by 22X in 2023
- The Financial Services industry performs twice as well as Retail at spotting and reporting a phishing attack
- Manufacturing and construction is the most targeted industry by phishing
- Legal and Financial are the top-performing departments, and Communications is the most challenged
- Dwell time and threat detection can be tracked in both the training and with real attacks.
- Dwell time improves by over 32% after 1 year of cybersecurity training, and the top 5% fastest employees report real attacks in less than 2 minutes
- Threat detection improves by over 9X after 1 year of cybersecurity training
A hopeful spin on phishing and cyber behavior Stats
I often get frustrated with reports from cybersecurity vendors. Some are excellent, but some are just marketing hype and Fear Uncertainty Doubt (FUD) stuffed into an infographic and dressed up as a fluffy pseudo-scientific study. The Phishing and Cybersecurity Behavior Trends report is different.
We don’t need more FUD and fluff. We need data-driven fuel for our efforts to secure our people against cyber-attacks. Tell me about meaningful, behavioral outcomes like dwell time and threat detection based on geography, industry, job role, and phishing type. Cut back on the empty failure rate metric obsession.
Give me some hope. I know for a fact that there are measurable reasons for optimism. Some of those reasons are contained in this report. Let’s focus on what’s actionable and useful, because we’re tired of marketers trying to social engineer us into requesting a demo. Give us value. Show us data that helps us understand human behavior and mitigate risk.
I requested that the facts and insights presented in the Phishing and Cybersecurity Behavior Trends report emphasize what is ultimately a happy ending: people can change. We just need the right program with the right metrics to measure and manage their progress. How often have you read a cybersecurity report that has a happy ending? Probably as (not) often as you’ve seen a reward-based SAT program.
I’ve been working as a CISO for a long time, so I get it: the threat landscape is bad, the solutions aren’t keeping pace, and neither are our budgets. Let’s cover hopeful new ground, because Gartner (Top Cybersecurity Trends of 2024 Report) and Forrester (The Future is Now: Introducing Human Risk Management) are: they’re actually moving beyond the tired SAT category and creating new categories for managing human risk and behavior change. Why? Because there’s hard data that new approaches work.
Positivity in cybersecurity training
[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]I took the radical approach of adopting positive psychology in my security awareness program around 10 years ago at Nokia. And guess what? We achieved security behavior change at levels that had been impossible with the traditional consequence-based SAT approach.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Petri Kuivala, CISO Advisor[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]
The research is clear. Positive reinforcement is more effective at driving and reinforcing behavior change than any other method. In "The Influential Mind," Adam Grant provides compelling evidence of the reward-based approach. A New York Hospital Intensive Care Unit significantly improved hand hygiene compliance by displaying positive feedback at hand washing stations. This technique outperformed:
- Traditional reminders with paternalistic “Wash your hands!” signage
- Creepy Big Brother Is Watching You 24/7 CCTV monitoring with an outsourced surveillance team
But when they installed a display on top of the hand washing station that gave positive feedback for people who properly washed their hands, the compliance rate increased 9X. Yes, you read that right: 9X! Fun fact: in this report, people globally improve their threat reporting rates by 9X with the reward-based Hoxhunt program.
What holds true in both hand-washing and cybersecurity? Both stop the spread of disease.
What the data tells us
This Phishing and Cybersecurity Behavior Stats and Trends report shows how different backgrounds produce different behaviors, and it demonstrates the impact of positive reinforcement on those behaviors. The comprehensive analysis of 1.6 million users responding to 15 million phishing simulations reveals that positive reinforcement can drastically improve things that I’ve never seen tracked before, like dwell time and real threat detection.
I want to say that there really are no “bad” performers here. There is variance between geographies and industries but our findings show that across the board the phishing reporting rate exceeds 25%, the threshold that author and CISO, George Finney believes catalyzes a cultural shift towards positive security outcomes and amplifies the "spin wheel effect" as compliance increases.
We see that even in the lowest reporting rate environments, the top-5% fastest users report real phishing attacks within 71 seconds, and simulated phish in under a minute. Median dwell time improves by a factor of 1/3 over one year of training with reward-based learning methods that trigger dopamine when re-enforcing new behaviors.
When looking at the Country data, I do not see any major surprises. China adopts threat reporting behavior about half as well as the top-performing countries. I have lived and directed cybersecurity in China and I have dealt with the “losing face” culture, which likely drives the inactivity. People are too afraid of making a mistake to try something new and uncertain like reporting a threat, and that drives slower learning curves. Malcom Gladwell wrote about this extensively in his book, Outliers, citing the example of disproportionate airline crashes in cultures where co-pilots were afraid to speak out and cause their pilots to lose face.
Cyber performance in industries where workers aren’t always glued to the keyboard, like Healthcare and Retail, are lagging behind. But even there, the TOP 5% still kill it. I can’t overstate how important this fact is: speed kills phishing incidents. This is what I’m talking about when it comes to actionable insights.
[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]Linking your threat feed to the SOC, and accelerating response to reported phishing attacks, is like a bullet-proof vest for the workforce. The “Fast 5” help the slower reporters and poorer performers dodge the bullet aimed at them. Moreover, the SOC can augment the quality of their work with AI assistance as reported threats are automatically categorized and incidents are elevated in realtime.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Petri Kuivala, CISO Advisor[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]
This data is extremely helpful when security leaders know how to turn insights into action. With human cyber-risk reduction, action starts with creating a psychologically safe environment , where individuals are allowed to make mistakes. People need to know that their surrounding teams will help them, and keep them safe as they grow their own cyber vigilance muscles.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt