Training helps a lot,but they typically treat users like toddlers and punish or reward them for getting it right. Training is also either too targeted or too untargeted compared to IRL phish
Treating users like toddlers is a techie attitude that drives me crazy. Most people have their own profession and responsibilities to think about. We'd appear to have toddler level sophistication to, say, an accountant, electrician, or doctor, and we'd rightly expect to be treated like an adult discussing things about which we know almost nothing.
What do you mean by too targeted or too untargeted? Either focused on a specific threat (tree) or too general to be useful (all forest no trees)?
Too targeted would for example be something too relevant to their job. They'd know what the typical emails and logins are so they won't fall for it easily. If the training is for spearphishing, it should contain extensive detail about the user. I mean really, you can't train someone who combats phishing as their day job against spearphishing.
The only real threat training combats against is untargeted dragnet attacks which typically use generic content or attacks that target organizions(not individuals).
In other words,you want them to be trained for the technology threat not the content threat. You want them know the difference between mail.company.com and mail.company.com.seemslegit.site . Currently,training seems to focus on "email looks suspiciois,why did you click on the link" not "what about the link made you think it was legitimate? and this is why you were wrong."
Also,training is done as a campaign at most places.a few users fall for it and suddenly everyone knows about it before opening their inbox. Mostly theatrics. It shouldn't be "send phishme emails to a 1000 users today",it should be more like "pick 50 users out of 1000 at random and send them a new campaign everyday for the next 20 business days quarterly"
What do you mean by too targeted or too untargeted? Either focused on a specific threat (tree) or too general to be useful (all forest no trees)?