Phishing attacks target human, rather than technical, vulnerabilities. Some organizations, companies, government agencies, educational institutions, and individuals put on blinders and hope it doesn't happen to them. Others try to prevent the problem by paying for anti-phishing training. Speaking from a cybersecurity trainer's perspective, good training should change user behavior and reduce the primary problem: in this case, an incident or breach initiated by a successful phishing attack. Even for effective training, the cost should be significantly lower than the cost of cleaning up after a breach. So, does anti-phishing training work? Is it worth the effort? The answers can be as individualized as the users on your network, but let's take a look at some broad statistics.

Yes, according to Verizon's 2019 Data Breach Investigations Report (DBIR). Email attachments, embedded links, and unknown emails are overwhelmingly (greater than 90 percent) at the top of the list of incidents. Similarly, of the malware detonations studied, more than 90 percent were received via email.

A sidebar in the DBIR examines why users are significantly more susceptible to phishing attacks on their mobile devices. The authors conjecture that the size of the screen and the way we use our mobile devices when distracted--walking, talking, and so on--may factor into why we aren't more vigilant about checking for phishing scams.

From the 2018 Cost of a Data Breach Study, the annual study sponsored by IBM Security and conducted by the Ponemon Institute, the average cost of a breach ranges from $2.2 million (fewer than 10,000 compromised records) to $6.9 million (more than 50,000 compromised records). Massive breaches (1 million to 50 million compromised records) can cost an average of $40 million to $350 million.

It is difficult to find pricing for anti-phishing training without providing contact information and getting a call from a sales rep. One provider's online pricing calculator for annual anti-phishing training reported prices ranging from, as of this writing, $500 (up to 25 seats) to $43,800 (10,000 seats) per year. It is difficult to validate whether this cost is competitive across the market.

Yes, according to the DBIR. The click rates are going down, from 25 percent in 2012 to 3 percent in 2018. These results come from multiple security training vendors that have conducted persistent anti-phishing campaigns during that time period. Two other anti-phishing software vendors corroborate this finding, reporting reduced click rates of 4 percent and 2.7 percent, respectively.

The answer to both questions is an emphatic yes. With consistent anti-phishing training, more users are recognizing and NOT clicking on phishing emails. Their caution prevents the introduction of malware into the systems of both the users and their organizations. Of course, there is a cost associated with anti-phishing training, but it's minimal compared to the price of cleaning up a data breach. Unfortunately, training is not going to stop the problem 100 percent of the time, and even with other security controls to prevent or contain an incident, there still may be a breach and cleanup. As with any control, the goal is to reduce the risk to an acceptable level, then live with the residual risk.