The Security Paradox: How Phishing Filters Can Make Your Organization Less Secure

Automated phishing filters have become highly effective at filtering spam and phishing emails out of users' inboxes. However, no system is 100% effective, and occasionally phish do make it through the net. So how do users respond to these phishing emails when they become less frequent?

Surprisingly, research suggests that rarely encountering phishing emails can lead to a "prevalence paradox" in which users become more susceptible to phishing emails when they encounter them less often.[1] Humans require a balanced exposure to target stimuli to maintain vigilance against threats. This principle applies to baggage screeners, x-ray technicians, police officers, airline pilots and even spiders waiting for flies.

We all need occasional exposure to stimuli to stay vigilant. One of the most effective ways to maintain vigilance against malicious emails is to send users training versions of phishing emails. These training emails are most effective when they closely resemble actual phishing emails that are reported to information security departments.

However, as with most things, balance is needed. If we are constantly exposed to new threats, we become overwhelmed and fatigue sets in; if we are rarely exposed to threats, complacency sets in and we lower our guard. The optimal frequency and difficulty of these campaigns will vary among users, with some requiring more frequent exposure to phishing emails and others only requiring the occasional phish. Regardless of our individual vigilance orientation, we all need occasional exposure to benign phishing emails to stay vigilant against them. Too little exposure will likely lead to reduced vigilance.

Why We Need the Occasional Phish

As I discussed in a previous post, people rely on habit loops when sorting through the email in their inboxes. Only when something in an email catches our attention — if the wording or some detail seems “off” in the message — do we begin to consciously scrutinize the details of it.

Research suggests that the cyber risk beliefs that we have about the probability of encountering a phishing email influence our level of suspicion about that email in our inbox.[2] This is one reason why people in the security industry often have a hard time understanding users’ insecure actions; we have a different set of cyber risk beliefs than non-security folks do. Humans rely on a heuristic (rule-of-thumb) known as the Availability Heuristic to judge the probability of events.[3] When we personally encounter a threat, or we hear a memorable story about a threat, we judge that threat to be more likely. Hence the reason that sharks are considered more deadly than vending machines, even though vending machines are nearly twice as fatal in the United States.[4][5]

Encountering realistic simulated phishing emails creates memories for these events that lead us to judge phishing as more likely. These cyber risk beliefs make us more suspicious of the emails in our inbox and therefore more likely to spot a malicious message.

For this reason, it is beneficial to have more encounters with realistic “de-fanged” training emails than the malicious messages we are likely to encounter in the wild. The more realistic the training messages, the more likely we are to spot the truly malicious messages.

Finding the Right Campaign Frequency

The critical question for security awareness teams is how to find the right balance of sending enough training campaigns to maintain user vigilance without sending so many that users being to experience security fatigue and resent training campaigns.

This optimal training frequency will vary according to the proficiency of the individual. Some individuals are naturally more attentive or aware of potential phishing attacks than others. These are usually the employees who report every email that is suspicious and recognize nearly every training phishing email. These “protective stewards” of your organization usually do not require more frequent phishing exercises and often benefit from more difficult trials.

On the other hand, other members of your organization might need extra help in the form of more frequent emails. These users often fall within the “repeat clicker” camp[6] and may benefit from more frequent exposure to phishing simulations.

While the ideal solution would be to create individually tailored phishing campaigns, this is unrealistic for most security awareness programs because it is too much of a drain on time and resources. When planning campaign frequency across an organization, research seems to converge around a minimum of four times per year to maintain effectiveness and relevance of training.[7]

The Bottom Line

Detecting potentially malicious emails is a skill, and like any other skill, we need occasional practice to maintain proficiency. Sending users realistic simulated phishing campaigns is critical to maintaining vigilance against the occasional malicious phishing emails that manage to get through the filters. A minimum of four campaigns per year is needed to maintain user proficiency. While more frequent campaigns are ideal, be cautious against over-phishing and inducing security fatigue.

[1] Sawyer, B. D., & Hancock, P. A. (2018). Hacking the human: the prevalence paradox in cybersecurity. Human factors, 60(5), 597-609.

[2] Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146-1166.

[3] Kahneman, D. (2011). Thinking, fast and slow. Macmillan.

[4] “International Shark Attack File,” Florida Museum.

[5] “CPSC, Soda Vending Machine Industry Labeling Campaign Warns Of Deaths And Injuries,” CPSC.

[6] Canham, M., Posey, C., Strickland, D., & Constantino, M. (2021). Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards. SAGE Open, 11(1).

[7] Jampen, D., Gür, G., Sutter, T., & Tellenbach, B. (2020). Don’t Click: towards an effective anti-phishing training. A comparative literature review. Human-centric Computing and Information Sciences, 10(1), 1-41.