Evaluating organizational phishing awareness training on an enterprise scale

Doron Hillman*, Yaniv Harel, Eran Toch

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


Employees are often the victims of phishing attacks, posing a threat to both themselves and their organizations. In response, organizations are dedicating resources, time, and employee effort to train staff to identify simulated phishing attacks. However, the real-world effectiveness of these training efforts in large enterprises remains largely unexplored. To address this, we carried out a controlled experiment in an Israeli financial institution with approximately 5,000 employees. The experiment included three simulated phishing emails, and we examined how different factors influence the phishing Click-Through Rate (CTR). Our findings suggest that employees are more likely to engage with phishing simulation emails that use personalized phrasing. We also found that phishing CTR varies between business units, and that the timing of training before the simulated email did not significantly affect phishing CTR. Furthermore, it became clear that training prior to phishing simulations and adopting a data-driven approach that includes process, variable and measure analysis, can enhance organizational awareness of phishing. Although advanced technologies can mitigate some phishing attacks, our research indicates that employee awareness and proactive behavior will continue to play a critical role in the foreseeable future. The paper concludes by providing guidelines to information security officers on establishing effective organizational awareness to prevent phishing attacks.

Original languageEnglish
Article number103364
JournalComputers and Security
StatePublished - Sep 2023


FundersFunder number
Blavatnik Interdisciplinary Cyber Research Center
Israel Ministry of Science
Defense Advanced Research Projects Agency
Israel Science Foundation
Tel Aviv University144
Horizon 2020


    • Awareness
    • Organizational cyber security
    • Phishing
    • Phishing wave
    • Social engineering
    • Training


    Dive into the research topics of 'Evaluating organizational phishing awareness training on an enterprise scale'. Together they form a unique fingerprint.

    Cite this