William J Gordon1,2,3, Adam Wright1,2,3, Robert J Glynn2,4,5, Jigar Kadakia3, Christina Mazzone3, Elizabeth Leinbach3, Adam Landman2,3,6. 1. Division of General Internal Medicine and Primary Care, Brigham and Women's Hospital, Boston, Massachusetts, USA. 2. Harvard Medical School, Boston, Massachusetts, USA. 3. Partners HealthCare, Boston, Massachusetts, USA. 4. Division of Preventive Medicine, Brigham and Women's Hospital, Boston, Massachusetts, USA. 5. Harvard T.H. Chan School of Public Health, Boston, Massachusetts, USA. 6. Department of Emergency Medicine, Brigham and Women's Hospital, Boston, Massachusetts, USA.
Abstract
OBJECTIVE: The study sought to understand the impact of a phishing training program on phishing click rates for employees at a single, anonymous US healthcare institution. MATERIALS AND METHODS: We stratified our population into 2 groups: offenders and nonoffenders. Offenders were defined as those that had clicked on at least 5 simulated phishing emails and nonoffenders were those that had not. We calculated click rates for offenders and nonoffenders, before and after a mandatory training program for offenders was implemented. RESULTS: A total of 5416 unique employees received all 20 campaigns during the intervention period; 772 clicked on at least 5 emails and were labeled offenders. Only 975 (17.9%) of our set clicked on 0 phishing emails over the course of the 20 campaigns; 3565 (65.3%) clicked on at least 2 emails. There was a decrease in click rates for each group over the 20 campaigns. The mandatory training program, initiated after campaign 15, did not have a substantial impact on click rates, and the offenders remained more likely to click on a phishing simulation. DISCUSSION: Phishing is a common threat vector against hospital employees and an important cybersecurity risk to healthcare systems. Our work suggests that, under simulation, employee click rates decrease with repeated simulation, but a mandatory training program targeted at high-risk employees did not meaningfully decrease the click rates of this population. CONCLUSIONS: Employee phishing click rates decrease over time, but a mandatory training program for the highest-risk employees did not decrease click rates when compared with lower-risk employees.
OBJECTIVE: The study sought to understand the impact of a phishing training program on phishing click rates for employees at a single, anonymous US healthcare institution. MATERIALS AND METHODS: We stratified our population into 2 groups: offenders and nonoffenders. Offenders were defined as those that had clicked on at least 5 simulated phishing emails and nonoffenders were those that had not. We calculated click rates for offenders and nonoffenders, before and after a mandatory training program for offenders was implemented. RESULTS: A total of 5416 unique employees received all 20 campaigns during the intervention period; 772 clicked on at least 5 emails and were labeled offenders. Only 975 (17.9%) of our set clicked on 0 phishing emails over the course of the 20 campaigns; 3565 (65.3%) clicked on at least 2 emails. There was a decrease in click rates for each group over the 20 campaigns. The mandatory training program, initiated after campaign 15, did not have a substantial impact on click rates, and the offenders remained more likely to click on a phishing simulation. DISCUSSION: Phishing is a common threat vector against hospital employees and an important cybersecurity risk to healthcare systems. Our work suggests that, under simulation, employee click rates decrease with repeated simulation, but a mandatory training program targeted at high-risk employees did not meaningfully decrease the click rates of this population. CONCLUSIONS: Employee phishing click rates decrease over time, but a mandatory training program for the highest-risk employees did not decrease click rates when compared with lower-risk employees.