Highlights:

  • The primary discovery of the report revealed that within a year of receiving security behavior training, approximately two-thirds of individuals in critical infrastructure organizations could detect and report at least one actual malicious email attack.
  • While the report brought positive findings, it also revealed a concerning aspect: critical infrastructure employees are more vulnerable to spoofed internal organizational communications, with an 11% higher failure rate than global averages.

Recently, Hoxhunt Ltd., a cybersecurity training services company, published a new report revealing increased engagement among critical infrastructure employees concerning organizational security.

The “Human Cyber-Risk Report: Critical Infrastructure” analyzed over 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million participants in security behavior change programs. The report’s findings emphasize the increased involvement of critical infrastructure employees in enhancing organizational security.

The primary finding revealed that within a year of receiving security behavior training, approximately two-thirds of individuals in critical infrastructure organizations could detect and report at least one actual malicious email attack. The sector exhibited a 20% higher resilience velocity, indicating a faster peak threat detection behavior achievement.

The report also revealed that the critical infrastructure sector demonstrates an impressively high success rate in phishing simulation exercises. Within a year of training, their accurate reporting of simulations is 61% higher than the global average. The critical infrastructure sector demonstrates a resilience ratio, which compares the success rate to the failure rate, standing 51% higher than the worldwide average.

While the report brought positive findings, it also revealed a concerning aspect: critical infrastructure employees are more vulnerable to spoofed internal organizational communications, with an 11% higher failure rate than global averages.

Among critical infrastructure organizations, the finance, sales, and legal departments displayed the highest resilience, especially sales, outperforming the global average. In contrast, departments like communication, marketing, and business development were identified as more susceptible to phishing attacks.

According to Timothy Morris, Chief Security Adviser at endpoint management Tanium Inc., the report indicates that while many companies conduct compliance training, like four phish training events per year, those implementing more frequent training sessions achieve better performance.

Morris stated, “It is evident from the report that behavior modification improves with rewards-based training versus the more prevalent failure models that are used with phishing software awareness training tools. The adaptive training methods and gamification using AI for their simulations appear to have more positive results.”