this post was submitted on 02 Nov 2025
174 points (97.3% liked)
cybersecurity
5120 readers
40 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I guess I don’t understand the metric of success. My training at work has helped me recognize risks more than most of my family that has no idea what root domain URL scam is. Did most of my family fail? Yes. Did 20% learn something and avoid risk? Yes.
In large companies the training is for liability purposes, “see they all passed their tests, we tried to warn them”. People are always going to be the attack vector, that’s unavoidable… but 20% success is better than 0% success. As an admin, if I received a 20% spike in phishing reports, that’s statistically significant and should be looked into and stopped (proxy violation).
Cost of training is unavoidable and budgeted for.
Some of it is useful but IT practices that waste my time mean I get less done, makes me work more unpaid overtime, results in lower raises because you get less done, and destroys innovation and the company in the long run because more and more things need permission. You cannot run an innovative organization that way. One reason I left the company.
Yeah it’s been a few years and I don’t remember what at this point, but my training has taught me a new scam or two before.
i guess you will find if you read the study mentioned in the article.
it is certainly possible that the study, or its interpretation in the article, is bs - i did not read either one of them. i am just stating in the vacuum that if something does not work (which is what that headline presents as conclusion of the study), then wasting time and money on it is worse than doing nothing.