The awareness myth

Some salesperson calls you: "The most significant attack vector is email, as Im sure you know. So educating your users to not click those malicious links, is the most important security intiative you can take."

That guy in your professional network, he is responsible for GRC in a large financial company, says: "Awareness will not catch a 100% of the phishing mails, more like maybe 70-90%. But technical solutions like firewalls, spam filters and so on, do not catch 100% either. Each layer provides some level of security. Awareness is just another layer. Add it to the technical solutions, and you get a much better protection."

Reading up on some security compliance standard: "Organisations cant rely on spam filters to block phishing attacks, because cyber criminals are constantly finding ways to circumvent them. They must instead teach employees how to spot phishing emails and regularly remind them of these lessons. Your employees are the first line of defence, and it is essential to equip and empower them with the right tools and mindset."

There is a clear consensus that awareness improves your security, but it is wrong. I will try to explain...

Conjunctive security

The most compelling argument is by that guy in the network (the second example above). He points out, correctly, that you should use multiple layers of security. Each should work differently, so that they can catch what slipped through previous layers.

A simple illustrative example:

As you can see each layer in itself is poor protection, but together they stop an amazing 99%.

Note that this is a simple model. Reality is more complex. But the model shows quite well how it works.

But it appears to show that it is a good idea to add an "awareness layer", though. How well will that work? Let us look into that.

First let us see how we can model an awareness layer. The protection here lies on the individual users. Installed in human brains, so to speak. Each of them working in their own ways, with their own strengths and weaknesses. Each with their way to be tricked.

To cut through the complexity we can say that a user catches a phishing mail with some probability. In the big picture this should be accurate. The probabilities can vary from user to user, and two users catches phishing mails independently of each other. If you have studied statistics, you could say that the users can be represented by independent stochastic variables. Each with the outcomes {STOP , CONTINUE}.

A phishing mail gets through the awareness layer if one of the users (variables) dont say STOP.

But what probabilities should we assign? A phishing test can give the answer to that. It shows how many users clicked the link in the test mail, or opened the attachment. If it is only 10% you should be happy. That is a very low number.

Whith that we now have a sufficient model for an awareness layer.

Phishing campaigns usually targets many users in one attack. In a large company it is routine to receive hundreds of phishing mails in a single attack.

Even with the high protection level of 90%, that awareness might provide with a single user, it quickly evaporates as the attack scales. Its 81% with two users, 35% with 10 and 0.5% with 50... The awareness layer fails if one of its parts fails. It is a conjunctive system.

There is one more argument.

The generation of phishing mail content has seen a large technological step forward.

Back in the 2010s it was realistic to spot phishing mails. They were clearly made by low-skilled people whose primary language was not that in the mails. So the mails always contained obvious errors, especially language errors, and they often contained very hamfisted demands that you clicked the link or open the attachment.

This has changed. Possibly due to LLM translation and text generation. Possibly because phishing has become more business like. The mails look legit now. They will fool almost all of us. We can only hope to spot the low effort ones.

What then?

Give up? No, but use your resources where it matters. Only do awareness training if you have to meet some compliance requirements, or if there are cultural problems around security.

Should users stop caring? No, they should still try to figure out when they are tricked. But be sure they will be tricked. Build your security on that, not on a fantasy.

PS Note that all this was about phishing awareness, which is the common understanding of the concept of awareness. But there are other kinds of awareness, and some of them actually do make sense.