New Research Reveals Critical Infrastructure Employees Are More Likely to Detect and Report Phishing and Malicious Emails
July 2023 by Hoxhunt
Hoxhunt released the findings of its latest research, the ‘Human Cyber-Risk Report: Critical Infrastructure’. This report, which examined human risk in the critical infrastructure sector, analyzed over 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people participating in security behavior change programs. The research highlights that critical infrastructure employees are comparatively more engaged in organizational security, as their phishing reporting and miss rates indicate.
The report revealed that 66 percent of active participants in security behavior training programs at critical infrastructure organizations detect and report at least one real malicious email attack within a year of commencing training. Resilience velocity, the speed at which an organization reaches its highest level of actual threat detection behavior, is also 20 percent higher in the critical infrastructure sector, with organizational threat detection rates reaching high points at 10 months, compared to the 12-month average in most other industries.
Phishing simulation success rates, the act of reporting a simulation and not skipping or failing it, in critical infrastructure is 61 percent higher than the global average after 12 months. In addition, resilience ratios, success rate versus failure rate, is 51 percent higher in critical infrastructure - 10.9 for critical infrastructure compared to the 7.2 global industry average.
The report also reveals that critical infrastructure employees are most likely to fall victim to spoofed internal organizational communications. While this is the most effective type of phishing attack across most sectors, Hoxhunt’s study found that these types of attacks induce an 11.4 percent higher failure rate in the critical infrastructure sector compared to global averages.
"Over the past several years, attacks on critical infrastructure have become all too common, leaving fuel pumps and store shelves empty," said Mika Aalto, CEO and co-founder of Hoxhunt. “In response, critical infrastructure organizations and their employees are exponentially more aware and cautious of malicious activity. This higher state of caution has spurred many security and risk leaders to move away from traditional security awareness programs and choose new innovations like Security Behavior Change products to achieve true risk reduction.”
The research also highlights that communication, marketing, and business development departments are most likely to be victims of phishing attacks. The most resilient departments are finance, sales, and legal. These results track with global averages except for the high performance of sales, whose success in critical infrastructure is greater than the global average.