This report on human risk in the critical infrastructure sector comes from an analysis of over 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people participating in a security behavior change program. Over 65% of active participants in this behavior change program detect and report real malicious email attacks within a year of commending training. The fact that 66% of people are detecting a real attack is one of the most impactful measures of true security behavior change that we know to have been recorded. Real threat detection is a key value driver in transforming security awareness programs into human risk management.
The fact that 66% of people are detecting a real attack is one of the most impactful measures of true security behavior change that we know to have been recorded. Real threat detection is a key value driver in transforming security awareness programs into human risk management.
These findings reveal valuable insights into the state of human risk. And, importantly, how human cyber-risk can be demonstrably mitigated by a robust behavior change program in the critical infrastructure sector, which the White House singled out as the top strategic pillar in its Cybersecurity Strategy document.
Energy & Utilities companies are emphasized in this analysis, which compares critical infrastructure results against the global average of all sectors. According to CISA, critical infrastructure includes 16 sectors.
“… much work remains to ensure the security and resilience of our critical infrastructure in light of complex threats and increasing geopolitical tension… We need to normalize cyber risks for the general public with the recognition that cyber attacks are a reality for the foreseeable future. We can't completely prevent attacks from happening, but we can minimize their impact by building resilience into our infrastructure and into our society. We need to look no further than our Ukrainian partners for an example of the power of societal resilience.”
– Jen Easterly, CISA Director
Key takeaways
- Critical infrastructure employees are unusually active and high-performing threat reporters.
- Critical infrastructure’s resilience ratio* (success rate/failure rate) is 51% higher than the global industry average: 10.9 for critical infrastructure vs. 7.2 for the global average.
- Resilience velocity* is 20% higher in critical infrastructure (i.e. organizational real threat detection rates reach a point of diminishing returns at 10 months, compared to 12).
- Training produces measurable real-life behavior change: 65.6% of active security behavior change program participants detected and reported a real threat in the previous year
- Phishing simulation reporting rates in critical infrastructure begin lower, but climb 61% higher than the global average after 12 months
- Miss rates—not interacting with a phishing simulation—start higher in critical infrastructure but, after 12 months, are 65% lower than the global average
- Phishing simulation failure rates are 5.3% in critical infrastructure, slightly above the 5.1% global average—impressive, given the higher participation rate.
- The most effective type of phishing attack—spoofed internal organizational communications—induces an 11.4% higher failure rate with critical infrastructure than the global average
- Marketing and communications departments in critical infrastructure have the highest phishing simulation failure rates, similar to the global trend, but their failure rate is higher
- Sales departments in critical infrastructure have lower failure rates than all other industries
*Resilience ratio provides a more accurate snapshot of the true risk of a data breach than standalone metrics like failure rate and engagement. Dividing threat reporting rate--the key, ideal behavior associated with a phishing attack--by failure rate contextualizes an organization’s skill at recognizing and reporting phishing attacks (success rate), with its true risk of clicking on a malicious link (failure rate).
* Resilience Velocity shows how quickly an organization can reach a state of measurable risk posture improvement as a function of effective behavior change training.