Is training against phishing still useful in the age of AI?
The study "Pwning User Phishing Training Through Scientific Lure Crafting" by researchers from the University of Chicago, the University of California San Diego (UCSD) and UCSD Health questions the benefits of training against phishing and shows only a small benefit. Richard Werner, Security Advisor at Trend Micro, comments on this finding.
We have to stop shifting the blame. Even if it is unpopular, protecting the company remains the responsibility of the IT security department. Other employees can only play a supporting role by recognizing dangerous emails in good time. This is not a matter of course and will happen less and less in the future - despite training, as a recent study shows. IT security must also work if a person causes an accident, just like in a car. Because if there is an accident and humans are no longer able to intervene, automatic systems such as seat belts or airbags take on the important task of reducing the impact of the damage, just like in a car.
What does that mean in the face of AI?
AIs, especially LLMs (Large Language Models), are optimized for machine-human communication. Not only can they string words together in a meaningful way, they can also imitate writing and speaking styles. Using so-called "prompt engineering", i.e. programming by entering commands, practically any user can tell the machine how to act. This makes it increasingly difficult for victims to tell the difference between normal and fraudulent communication, while AI also reduces costs and increases productivity.
In the area of fraud, the greatest effort is put into targeted attacks. A perpetrator engages with his victim and tries to create an irresistible attack from available information. With spear phishing, we are not talking about accidents, because they do not happen by chance. They are attacks in the broader sense, and their success rate, according to another studyis over 50 percent, even among purely human experts. This type of attack has rarely occurred in reality. This is because the amount of work required is considerable. But what happens when AI takes over? The evaluation of the data and the creation of an attack profile would then be automated. According to the study, this would have led to reasonable results in 88 percent of cases. The content generated can no longer be distinguished from normal communication.
The faster and more effective AI solutions become, the more frequently they will also be used in cybercrime, and the less often humans will recognize this as a security component - regardless of the level of training.
What can we do next?
Technology has always been the counterpart to human error and is designed to prevent it or at least limit the resulting damage. In IT security, the building blocks of Zero Trust, Cyber Risk Exposure Management (CREM) and Detection and Response are well known. These building blocks reduce the risk of occurrence and the impact of incidents. For these technologies and strategies, it is irrelevant where the attack comes from and why it could not be averted. Metaphorically speaking, it is the seat belts and airbags that guarantee survival in the event of damage. If a link-clicking employee is responsible for a company being fully encrypted, then it is not the employee who is the problem, but the company's own security infrastructure.
Conclusion: Is training necessary? When do they make sense?
Training is expensive. Not only the cost of introducing the processes, but also the workload of each individual employee must be taken into account. It is therefore legitimate to question the added value. This lies in reducing the probability of cyberattacks occurring. Training has always been an important part of security strategies. But like everything else in security, this too loses its effectiveness over time. However, this does not mean that this component immediately becomes pointless. As long as IT security is stretched to capacity by the sheer number of individual events that need to be checked, training is needed to reduce these.
Training against phishing is particularly important when it comes to the fraud itself and recognizing red flags such as requesting money or access to company data. Employees also need to understand why they need to follow security processes, such as multi-factor authentication when accessing data, and how attackers try to get past them. Yes, training remains important. But they are not an excuse for security incidents. The stigma of blame if an employee has not recognized it is not helpful, because it will happen more often in the future. Companies should take precautions to ensure that even if the worst does happen, the impact remains limited.
Source: Trend Micro
