A new report from cybersecurity training services company Hoxhunt Ltd. released today surprisingly finds that critical infrastructure employees are becoming more engaged in organizational security.

The “Human Cyber-Risk Report: Critical Infrastructure” was compiled based on examining more than 15 million phishing simulations and actual email attacks reported in 2022 by 1.6 million individuals involved in security behavior change programs. The findings in the report highlight the heightened engagement of employees in the critical infrastructure sector in organizational security.

The key finding was that two-thirds of individuals who partake in security behavior training programs within critical infrastructure organizations are able to detect and report at least one real malicious email attack within a year of their training. The sector was also found to have a 20% higher resilience velocity, the speed at which peak threat detection behavior is achieved.

Another finding in the report was that the critical infrastructure sector also has a high phishing simulation success rate. In a year after training, the act of accurately reporting a simulation is 61% higher than the global average. The resilience ratio, defined as the success rate versus the failure rate, also fares better in the critical infrastructure sector, standing at 51% higher than the global average.

The report wasn’t all good news, however. It also finds that critical infrastructure employees are more susceptible to spoofed internal organizational communications, exhibiting an 11% higher failure rate than global averages.

The most resilient departments within critical infrastructure organizations were found to be finance, sales and legal, with the sales department showing particularly impressive results compared with the global average. Conversely, the departments most prone to phishing attacks include communication, marketing and business development.

Timothy Morris, chief security adviser at endpoint management Tanium Inc., told SiliconANGLE that the report shows that though most companies do train for compliance, such as four phish training events per year, those that engage in more frequent training perform better.

“It is evident from the report that behavior modification improves with rewards-based training versus the more prevalent failure models that are used with phishing software awareness training tools,” Morris said. “The adaptive training methods and gamification using AI for their simulations appear to have more positive results.”

Image: Bing Image Creator