Exploring the evidence for email phishing training: A scoping review

Background: Phishing emails are a pervasive threat to the security of confidential information. To mitigate this risk, a range of training measures have been developed to target the human factors involved in phishing email susceptibility. Despite the widespread use of anti-phishing training programs, there is no clear understanding of the extent to which these approaches have been assessed. Objective: The primary aim of this scoping review was to identify and describe the nature of available training interventions and their measurable outcomes on user susceptibility, as reported in published articles. Methods: Systematic searches identified 42 studies that met the inclusion criteria. Each study was critically analysed, and a standardised data extraction spreadsheet used to systemise the data that informed the descriptive narrative review. Results: Findings revealed that near-term training impact is well documented, however evidence on the success of programs in driving sustained behavioral change is limited. Components of training design influencing the effectiveness of outcomes included training intensity, active approaches to learning, the provision of detailed feedback, and supplementing attentional awareness skills-based training with traditional cue-based approaches. Conclusions: Improved user resilience to phishing emails confirms the utility of training as an important defensive mechanism, although current approaches continue to leave trainees at risk.