People can change. Well, their behavior can change. But in cybersecurity, behavior is everything, right? Because right now, people’s behavior phishing emails is generally not ideal. Virtually every data breach begins with a phishing attack, and there are so many of those today that the cyber insurance industry collapsed in 2021.
But we have good news! According to the inaugural Hoxhunt Behavioral Cybersecurity Report, people can become so good at recognizing and reporting a phishing attack that they measurably lower their organization’s risk of a phishing breach. Sometimes by orders of magnitude. And we have the data to prove it.
Behavioral Cybersecurity is the antidote to social engineering
Hoxhunt analyzed how 1.6 million people responded to 24.7 million phishing simulations. We categorized Hoxhunt training participants by Geography, Job Role, and Industry and examined how many phishing simulations they either reported, failed, or missed. We also looked at their real phishing reporting behavior. Guess what?
Real phishing reporting rates either improved or stagnated depending on users' phishing simulation performance.
We could see all of that because Hoxhunt phishing training is grounded in behavioral cybersecurity science, and built around a threat reporting plug-in.
The results aren’t just encouraging. Some are mind-blowing. Others might be revolutionary. Our data shows:
- A 350% global drop in phishing simulation fail rates, from around 14% to 4%, with Hoxhunt phishing training, which corresponds with:
- A nearly 70% rise in real threat reports
- An over 60% improvement in the accuracy of reporting threats as phish, rather than spam or email
That’s good news, right? And right now, we could all use a little good news in cybersecurity. Because the numbers slithering out of the threat landscape are grim.
Email-originated cyber attacks account for over 90% of all data breaches, which in total exacted a $6 trillion toll on the global economy in 2021 at a clip of over $14 million-and-climbing per company per successful phishing attack, according to reports by the Ponemon Institute, Verizon, and Cybersecurity Ventures. Collectively, those little clicks would add up to the GDP of the third largest nation in the world behind the US and China.
Understanding why cybersecurity is really a behavioral science is a critical step towards defending against phishing attacks and data breaches.
Key takeaways
Good security training works
When trained correctly, employees improve cybersecurity skills and report more real phishing threats. With the Hoxhunt phishing training:
- Phishing simulation fail rates dropped from 14% to 4% globally
- Success rates--with Success measured as the reporting of a simulated phishing attack--jumped from near-zero to between 52% - 74% of simulations based on industry
- Real threat reporting rate improved by nearly 70% from training baseline
- Real threat reporting accuracy continuously improved from near-zero to 60%
- Engagement rate soared to 88.75% of employees onboarded to the Hoxhunt training
Misleading metrics: If you’re obsessed with failure, you’re doomed to fail.
- Fail rate alone is a misleading metric. Without simulated + real threat reporting metrics, fail rate is empty. It fails to accurately:
- Capture organizational resilience
- Predict real threat reporting
- Reflect employees' cyber self-defense skills
- Take into account the vast unknown of missed simulations and unengaged employees
Success rate rules
The frequency with which people report phishing simulations is the best:
- Indicator of security skill
- Predictor of real threat reporting behavior
- Way to reward good reporting behavior so as to ingrain it as a reflex
Today’s miss is tomorrow’s phish
Missed simulations (those neither failed nor reported) are a dangerous "unknown" that can't be ignored.
- Users who miss simulated emails are missing out on learning, and are at higher risk of failure
- Don’t miss up! Lowering the miss rate is correlated with elevated real threat reporting
- Fail rate becomes meaningful when placed within the larger context of phishing simulations that have been reported, missed, and failed, as well as real threats that have been reported.
Who you are predicts how you’ll behave
Training programs must factor in who employees are and be able to individualize content to fit their strengths and weaknesses.
Cybersecurity performance varies significantly depending on:
- Geography
- Job role
- Industry
- Countries with the highest real threat reporting rates--Switzerland and Denmark--report threats 10 times more frequently than the lowest-reporting countries, China and Romania.
- IT had the highest Success rate (63%); Sales had the lowest Success rate (54.1%).
- The Public Policy category had the lowest phishing simulation failure rate, 1.2 %, and the highest success rate, 74%. Comparatively worse are the Dairy industry’s failure rate of 7.7%, and the Construction industry’s 47.5% Success rate.
