Long lasting effects of awareness training methods on reducing overall cyber security risk

Social Engineering holds one of the most critical threats to public and private organizations. In this paper we focus on phishing threats by measuring the positive impact that awareness methods may provide to them in a long-term period to companies and public bodies. The assessment criterion uses two phishing attacks in a period of 18 weeks. The phishing attack comprises a hook mail containing a link to a credentials harvesting website. Users' reaction and user agent fingerprints are used in order to calculate a risk score for each victim. By applying chi square - tests it was found that there is a statistically significant score improvement for participants that were trained via the awareness methods. Furthermore, a risk analysis is conducted to identify, quantify and prioritize potential risks that could negatively affect the end-user's operations. The main idea concerning this proposed technique is the fact that the assessment methods can assist the employees to develop skills and abilities in order to use the digital world safely, avoiding phishing attacks. The risk analysis findings indicate that the awareness approach has significant improvement in long term lasting risk reduction. The study was conducted as part of the European Horizon 2020 DOGANA project which aims to deploy effective mitigation strategies and lead to reduce the risk created by modern Social Engineering 2.0 attack techniques. The results obtained in this paper corroborate the results obtained by the EU funded project SAINT from the econometric analysis and modeling of the cybercrime and cyber security markets.