To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Got it!
Search a title or topic

Over 20 million podcasts, powered by 

Player FM logo
Artwork

Tech Business Heidi Trost Cybersecurity Information Security User Experience
Content provided by Heidi Trost. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Heidi Trost or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Similar to Human-Centered Security

Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Human-Centered Security « »
We Regret to Inform You: Your Phishing Training Did Nothing with Ariana Mirian

46:52
 
Play
Playing
Share
 

MP3Episode home
Manage episode 494751386 series 2836702
Content provided by Heidi Trost. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Heidi Trost or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

You click on a link in an email—as one does. Suddenly you see a message from your organization, “You’ve been phished! Now you need some training!” What do you do next? If you’re like most busy humans, you skip it and move on.

Researcher Ariana Mirian (and co-authors Grant Ho, Elisa Luo, Khang Tong, Euyhyun Lee, Lin Liu, Christopher A. Longhurst, Christian Dameff, Stefan Savage, Geoffrey M. Voelker) uncovered similar results in their study “Understanding the Efficacy of Phishing Training in Practice.” The solution? Ariana suggests focusing on a more effective fix: designing safer systems.

In the episode we talk about:

  • Annual cybersecurity awareness training doesn’t reduce the likelihood of clicking on phishing links, even if completed recently. Employees who finished training recently show similar phishing failure rates to those who completed it months ago. The study notes, “Employees who recently completed such training, which has significant focus on social engineering and phishing defenses, have similar phishing failure rates compared to other employees who completed awareness training many months ago.”
  • Phishing simulations combined with training (where companies send out fake phishing emails to employees and, for those who click on the links, lead those employees through training) had little impact on whether participants would click phishing links in the future.
  • Ariana was hopeful about interactive training but found that too few participants engaged with it to draw meaningful conclusions.
  • The type of phishing lure (e.g., password reset vs. vacation policy change) influenced whether users clicked. Ariana warned that certain lures could artificially lower click rates.
  • Ultimately, Ariana suggests focusing on designing safer systems—where the burden is taken off the end users. She recommends two-factor authentication, using phishing-resistant hardware keys (like YubiKeys), and blocking phishing emails before they reach users.

This quote from the study stood out to me: “Our results suggest that organizations like ours should not expect training, as commonly deployed today, to substantially protect against phishing attacks—the magnitude of protection afforded is simply too small and employees remain susceptible even after repeated training.”

This highlights the need for safer system design, especially for critical services like email, which—and this is important—inherently relies on users clicking links.

Ariana Mirian is a senior security researcher at Censys. She completed her PhD at UC San Diego and co-authored the paper, “Understanding the Efficacy of Phishing Training in Practice.”

G. Ho et al., "Understanding the Efficacy of Phishing Training in Practice," in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, 2025, pp. 37-54, doi: 10.1109/SP61157.2025.00076.

  continue reading

59 episodes

#Tech #Business #Heidi Trost #Cybersecurity #Information Security #User Experience
Artwork

We Regret to Inform You: Your Phishing Training Did Nothing with Ariana Mirian

Human-Centered Security

published

Play Playing
iconShare
 
MP3Episode home
Manage episode 494751386 series 2836702
Content provided by Heidi Trost. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Heidi Trost or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

You click on a link in an email—as one does. Suddenly you see a message from your organization, “You’ve been phished! Now you need some training!” What do you do next? If you’re like most busy humans, you skip it and move on.

Researcher Ariana Mirian (and co-authors Grant Ho, Elisa Luo, Khang Tong, Euyhyun Lee, Lin Liu, Christopher A. Longhurst, Christian Dameff, Stefan Savage, Geoffrey M. Voelker) uncovered similar results in their study “Understanding the Efficacy of Phishing Training in Practice.” The solution? Ariana suggests focusing on a more effective fix: designing safer systems.

In the episode we talk about:

  • Annual cybersecurity awareness training doesn’t reduce the likelihood of clicking on phishing links, even if completed recently. Employees who finished training recently show similar phishing failure rates to those who completed it months ago. The study notes, “Employees who recently completed such training, which has significant focus on social engineering and phishing defenses, have similar phishing failure rates compared to other employees who completed awareness training many months ago.”
  • Phishing simulations combined with training (where companies send out fake phishing emails to employees and, for those who click on the links, lead those employees through training) had little impact on whether participants would click phishing links in the future.
  • Ariana was hopeful about interactive training but found that too few participants engaged with it to draw meaningful conclusions.
  • The type of phishing lure (e.g., password reset vs. vacation policy change) influenced whether users clicked. Ariana warned that certain lures could artificially lower click rates.
  • Ultimately, Ariana suggests focusing on designing safer systems—where the burden is taken off the end users. She recommends two-factor authentication, using phishing-resistant hardware keys (like YubiKeys), and blocking phishing emails before they reach users.

This quote from the study stood out to me: “Our results suggest that organizations like ours should not expect training, as commonly deployed today, to substantially protect against phishing attacks—the magnitude of protection afforded is simply too small and employees remain susceptible even after repeated training.”

This highlights the need for safer system design, especially for critical services like email, which—and this is important—inherently relies on users clicking links.

Ariana Mirian is a senior security researcher at Censys. She completed her PhD at UC San Diego and co-authored the paper, “Understanding the Efficacy of Phishing Training in Practice.”

G. Ho et al., "Understanding the Efficacy of Phishing Training in Practice," in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, 2025, pp. 37-54, doi: 10.1109/SP61157.2025.00076.

  continue reading

59 episodes

#Tech #Business #Heidi Trost #Cybersecurity #Information Security #User Experience

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Similar to Human-Centered Security

Listen to 500+ topics
Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play
icon
Help/FAQ | Advertise with Us
Arts|Business|Comedy|Economics|Entertainment|News|Politics|Religion
Science|Soccer|Sports|Storytelling|Technology|True Crime
Copyright 2025 | Privacy Policy | Terms of Service | | Copyright
Episode being played series thumbnail
icon icon
Speed
Series settings
1x
1x
Volume
100%
icon
icon icon
/

View Player FM in...
Player FM
Browser
Chrome
Safari
Firefox
Listen to this show while you explore
Play