Back to Events

Understanding the Efficacy of Phishing Training in Practice

Speaker

Grant Ho
UChicago

Host

Henry Corrigan-Gibbs
CSAIL MIT

November 17 2025

12:00P - 1:00P

Location

32-G449
Kiva

Abstract: As a result of regulation and cyber-insurance mandates, many organizations require their employees to periodically take various forms of cybersecurity training. Despite a long history of research supporting some forms of security training, this practice remain controversial in practice; and recent work has questioned its efficacy and highlighted the burden it can impose. This talk will discuss our recent paper that empirically evaluated the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work conducted and analyzed an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that commonly deployed anti-phishing training programs are unlikely to offer significant protective value, and our analysis surfaces several challenges that these trainings may inherently face in-the-wild.

 

Bio: Grant Ho is an assistant professor in computer science at the University of Chicago. His research focuses on securing enterprises and organizations through data-driven insights and methods. Previously Grant was a postdoctoral fellow at UC San Diego and received his PhD from UC Berkeley. His work has been recognized by the 2017 Internet Defense Prize and four distinguished/best papers awards across the top security conferences, such as IEEE S&P and Usenix Security.

 

Zoom info:

   Meeting ID: 945 5603 5878

   Password: 865039
 

Add to Calendar 2025-11-17 12:00:00 2025-11-17 13:00:00 America/New_York Understanding the Efficacy of Phishing Training in Practice Abstract: As a result of regulation and cyber-insurance mandates, many organizations require their employees to periodically take various forms of cybersecurity training. Despite a long history of research supporting some forms of security training, this practice remain controversial in practice; and recent work has questioned its efficacy and highlighted the burden it can impose. This talk will discuss our recent paper that empirically evaluated the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work conducted and analyzed an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that commonly deployed anti-phishing training programs are unlikely to offer significant protective value, and our analysis surfaces several challenges that these trainings may inherently face in-the-wild. Bio: Grant Ho is an assistant professor in computer science at the University of Chicago. His research focuses on securing enterprises and organizations through data-driven insights and methods. Previously Grant was a postdoctoral fellow at UC San Diego and received his PhD from UC Berkeley. His work has been recognized by the 2017 Internet Defense Prize and four distinguished/best papers awards across the top security conferences, such as IEEE S&P and Usenix Security. Zoom info:   Meeting ID: 945 5603 5878   Password: 865039  TBD

Organizer & Contact

Sheila Sharbetian
617-324-6747

Part of

Related Events