Content, Content

Critical Infrastructure Workers More Likely to Detect and Report Phishing and Malicious Emails, Study Finds

Cyber Security Ransomware Phishing Encrypted Technology

Employees at critical infrastructure operations are comparatively more engaged in organizational security than their counterparts in other industries, as indicated by their phishing reporting and miss rates, a new report said.

Inside the Human Risk Factor

In its newly released study, Human Cyber-Risk Report: Critical Infrastructure, Hoxhunt, a security behavior change specialist, said the data showed critical infrastructure organizations and their employees are “exponentially more aware and cautious of malicious activity.”

The report, which examined human risk in the critical infrastructure sector, analyzed over 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people participating in security behavior change programs.

Commenting on the report, Mika Aalto, Hoxhunt chief executive and co-founder, said:

“This higher state of caution has spurred many security and risk leaders to move away from traditional security awareness programs and choose new innovations like Security Behavior Change products to achieve true risk reduction."

Critical Infrastructure Employees on the Ball

Specifically, the research focuses on the energy and utilities sectors. Here are the key takeaways:

  • Critical infrastructure employees are unusually active and high-performing threat reporters.
  • Critical infrastructure’s resilience ratio (success rate/failure rate) is 51% higher than the global industry average: 10.9 for critical infrastructure vs. 7.2 for the global average.
  • Resilience velocity is 20% higher in critical infrastructure (i.e. organizational real threat detection rates reach a point of diminishing returns at 10 months, compared to 12 months).
  • Training produces measurable real-life behavior change: 65.6% of active security behavior change program participants detected and reported a real threat in the previous year.
  • Phishing simulation reporting rates in critical infrastructure begin lower but climb 61% higher than the global average after 12 months.
  • Miss rates — not interacting with a phishing simulation — start higher in critical infrastructure but, after 12 months, are 65% lower than the global average.
  • Phishing simulation failure rates are 5.3% in critical infrastructure, slightly above the 5.1% global average.
  • The most effective type of phishing attack — spoofed internal organizational communications — induces an 11.4% higher failure rate with critical infrastructure than the global average.
  • Marketing and communications departments in critical infrastructure have the highest phishing simulation failure rates, similar to the global trend, but their failure rate is higher. Sales departments in critical infrastructure have lower failure rates than all other industries.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.