Cybersecurity training programs don’t prevent employees from falling for phishing scams

University of California - San Diego

Facebook

XLinkedInWeChatBlueskyMessage

 

image: 

Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails

view more 

Credit: Ioana Patringenaru/University of California San Diego

Cybersecurity training programs as implemented today by most large companies do little to reduce the risk that employees will fall for phishing scams–the practice of sending malicious emails posing as legitimate to get victims to share personal information, such as their social security numbers. 

That’s the conclusion of a study evaluating the effectiveness of two different types of cybersecurity training during an eight-month, randomized controlled experiment. The experiment involved 10 different phishing email campaigns developed by the research team and sent to more than 19,500 employees at UC San Diego Health. 

The team presented their research at the Blackhat conference Aug. 2 to 7 in Las Vegas. The team originally shared their work at the 46th IEEE Symposium on Security and Privacy in May in San Francisco. 

Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails. The team also examined the efficacy of embedded phishing training – the practice of sharing anti-phishing information after a user engages with a phishing email sent by their organization as a test. For this type of training, researchers found that the difference in failure rates between employees who had completed the training and those who did not was extremely low. 

“Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,” the researchers write.

Why is it important to combat phishing? 

Whether phishing training is effective is an important question. In spite of 20 years of research and development into malicious email filtering techniques, a 2023 IBM study identifies phishing as the single largest source of successful cybersecurity breaches–16% overall, researchers write. 

This threat is particularly challenging in the healthcare sector, where targeted data breaches have reached record highs. In 2023 alone, the U.S. Department of Health and Human Services (HHS) reported over 725 large data breach events, covering over 133 million health records, and 460 associated ransomware incidents. 

As a result, it has become standard in many sectors to mandate both formal security training annually and to engage in unscheduled phishing exercises, in which employees are sent simulated phishing emails and then provided “embedded” training if they mistakenly click on the email’s links.

Researchers were trying to understand which of these types of training are most effective. It turns out, as currently administered, that none of them are. 

Why are cybersecurity trainings not effective? 

One reason the trainings are not effective is that the majority of people do not engage with the embedded training materials, said Grant Ho, study co-author and a faculty member at the University of Chicago, who did some of this work as a postdoctoral researcher at UC San Diego. Overall, 75% of users engaged with the embedded training materials for a minute or less. One-third immediately closed the embedded training page without engaging with the material at all. 

“This does lend some suggestion that these trainings, in their current form, are not effective,” said Ariana Mirian, another paper co-author, who did the work as a Ph.D. student in the research group of UC San Diego computer science professors Stefan Savage and Geoff Voelker. 

A study of 19,500 employees over eight months

To date, this is the largest study of the effectiveness of anti-phishing training, covering 19,500 employees at UC San Diego Health. In addition, it’s one of only two studies that used a randomized control trial method to determine whether employees would receive training, and what kind of phishing emails–or lures–they would receive. 

After sending 10 different types of phishing emails over the course of eight months, the researchers found that embedded phishing training only reduced the likelihood of clicking on a phishing link by 2%. This is particularly striking given the expense in time and effort that these trainings require, the researchers note. 

Researchers also found that more employees fell for the phishing emails as time went on. In the first month of the study, only 10% of employees clicked on a phishing link. By the eighth month, more than half had clicked on at least one phishing link. 

In addition, researchers found that some phishing emails were considerably more effective than others. For example, only 1.82% of recipients clicked on a phishing link to update their Outlook password. But 30.8% clicked on a link that purported to be an update to UC San Diego Health’s vacation policy. 

Given the results of the study, researchers recommend that organizations refocus their efforts to combat phishing on technical countermeasures. Specifically, two measures would have better return on investment: two-factor authentication for hardware and applications, as well as password managers that only work on correct domains, the researchers write. 

This work was supported in part by funding from the University of California Office of the President “Be Smart About Safety” program–an effort focused on identifying best practices for reducing the frequency and severity of systemwide insurance losses. It was also supported in part by U.S. National Science Foundation grant CNS-2152644, the UCSD CSE Postdoctoral Fellows program, the Irwin Mark and Joan Klein Jacobs Chair in Information and Computer Science, the CSE Professorship in Internet Privacy and/or Internet Data Security, a generous gift from Google, and operational support from the UCSD Center for Networked Systems.

Understanding the Efficacy of Phishing Training in Practice

Grant Ho, Ariana Mirian, Elisa Luo, Stefan Savage and Geoffrey M. Voelker, Department of Computer Science and Engineering, UC San Diego

Grant Ho is currently a faculty member at the University of Chicago. Mirian is currently a senior security researcher at Censys. 

Khang Tong, Euyhyun Lee and Lin Liu, Biostatistics, Epidemiology and Research Design, UC San Diego Health 

Christopher A. Longhurst and Christian Dameff, Jacobs Center for Health Innovation and UC San Diego Health

The team examined the efficacy of embedded phishing training – the practice of sharing anti-phishing information after a user engages with a phishing email sent by their organization as a test. For this type of training, researchers found that the difference in failure rates between employees who had completed the training and those who did not was extremely low. 

Credit

Ioana Patringenaru/University of California San Diego

---

Method of Research

Randomized controlled/clinical trial

Subject of Research

People

Article Title

Understanding the Efficacy of Phishing Training in Practice

 

Water’s density is key to sustainable lithium mining

Research led by UMass Amherst finds not all water is equal when it comes to sustainable lithium extraction practices for the low-carbon future

University of Massachusetts Amherst

LinkedInWeChatBlueskyMessageWhatsAppEmail

 

image: 

“Corkran’s systematic evaluations revealed two new processes,” says Boutt, professor of Earth, geographic, and climate sciences at UMass Amherst and the paper’s senior author.

view more 

Credit: UMass Amherst

AMHERST, Mass. — One of the biggest obstacles on the road to the low-carbon energy future is caused by the rare-earth element lithium, a critical component for the batteries that can store the abundant and sustainable energy from renewable sources. The element occurs naturally as a salt in briny oases, called salares, in some of the world’s harshest environments, including the “Lithium Triangle” high in South America’s arid Altiplano. Mining lithium has the potential to destabilize already sensitive environments that are host to rare flora and fauna, as well as the Indigenous communities that have long made such places their homes.

While earlier research from the University of Massachusetts Amherst has shown that commonly accepted figures quantifying how much water can be withdrawn from salares overestimate the amount of water available by more than an order of magnitude, a recent study led by UMass Amherst graduate student Daniel Corkran uncovers the previously unknown physical mechanisms that govern sustainable water usage. And it overturns some of the commonly held assumptions about what counts as sustainable lithium mining.

It's all about location and water density.

“The question that really drove this study centers around a debate between two different parties in these arid basins,” says Corkran. “Some view the types of water available in these basins— fresh, brackish and lithium-containing salt water (brine)—as one continuous water resource, meaning that when lithium companies pump enormous amounts of brine out of the salares, they’re using an enormous amount of water. They claim that this usage will greatly affect all the other water demands, both environmental and human, to which that water could be put. On the other hand, lithium companies have pointed out that the brine is 200 times saltier than seawater and so can’t support life. Therefore, it’s only the fresh water in these salares that matters, and since lithium doesn’t occur in the freshwater portions of the salares, there’s nothing to worry about. Given the wide gulf between the two conceptualizations and the implications for sustainable water use, we decided to test both hypotheses.”

To do so, Corkran and his co-authors, which include members of David Boutt’s Hydrogeology Group at UMass Amherst as well as collaborators from the University of Alaska Fairbanks and the University of Dayton, first designed a series of immensely complex model simulations to project the effects of lithium and freshwater pumping over the next 200 years, across a wide range of climactic scenarios and geologic settings. They then checked their modeled results against satellite data from salares in two different regions of the Lithium Triangle, the source of more than half of the world’s lithium resources. Each of these salares relies on a different mode of lithium mining: the traditional evaporative technique, which involves evaporating brine, and direct lithium extraction, or DLE, which preserves the brine but can use up to 200% more freshwater.

“Corkran’s systematic evaluations revealed two new processes,” says Boutt, professor of Earth, geographic, and climate sciences at UMass Amherst and the paper’s senior author.

The first involves where in the salar mining companies pump their water. The traditional understanding of the relationship between water and sustainability holds that you can responsibly use only as much water as flows in, and that it’s better to use this new water, not the older stuff stored in the aquifer.

But salares are composed of both freshwater portions, located at the edge of the basin near the points where fresh groundwater recharges the wetlands, and briny portions at the center of the basin, with a transitional zone between the two, and Corkran found that the closer a company pumps to the fresh water, the greater the impact is on the salar’s wetlands and the faster its shores recede.

“The fresh water is what we shouldn’t be touching,” says Boutt, who points out that both local agriculture and companies that mine for other precious metals, such as copper, as well as the newer DLE methods of gathering lithium may be having an outsized impact on the salares.

“Instead,” says Corkran, “companies should be pumping water from the briniest patches they can find.”

Which brings us to the surprise player in this story—density.

Think about what happens to water when you freeze it. Fill a glass jar with fresh tap water, cap it tightly, and then put it in the freezer overnight. When you check on it in the morning, you’ll have a broken jar because freshwater is denser than ice. As the water froze, it expanded, gaining volume, losing density and cracking the jar, even though the number of water molecules in the jar remained the same.

Something similar happens in the salares.

Salt water is denser than fresh water. Pound for pound, it takes up less space in the salar. This means that when mining companies pump out dense, lower-volume salt water the effect on the water levels is blunted. But pump out less dense, high-volume fresh water, and the effect on water levels is magnified.

Put another way, you can pump out more salt water with less effect; but pump out fresh water, and the salar’s groundwater-dependent wetlands seem to melt away.

Corkran and his colleagues confirmed this conclusion with measurements of two wetlands located in different salares: the Diffuse South Tumisa Discharge Zone in Salar de Atacama and the Rio Trapiche Vega in Salar del Hombre Muerto.

“What this all adds up to,” says Boutt, “is that we don’t have to be all that concerned about pumping brine. But we need to be very careful with any freshwater usage—whether for mining, agriculture or any other use. And if we do decide to go full steam ahead with DLE technology for lithium, we need to address its needs for fresh water.”

 

Contacts: David Boutt, dboutt@cns.umass.edu

                 Daegan Miller, drmiller@umass.edu

 

 

 

---

Journal

Water Resources Research

DOI

10.1029/2024WR039511 

Article Title

Density Constrains Environmental Impacts of Fluid Abstraction in Closed‐Basin Lithium Brines

Article Publication Date

15-Sep-2025

 

Patients in the world’s least developed countries three times more likely to die after abdominal trauma surgery

University of Cambridge

Facebook

XLinkedInWeChatBlueskyMessageWhatsAppEmail

Mortality after emergency abdominal surgery is more than three times higher in the least developed countries compared to the most developed. Yet among those who undergo surgery, injuries tend to be less severe – raising concerns that those most critically injured are not even reaching the operating theatre.

A study published in The Lancet Global Health has revealed stark global inequalities in survival after emergency abdominal surgery for traumatic injuries. The research found that patients in the world’s least developed countries face a substantially higher risk of dying within 30 days of surgery than those in the most developed nations, as ranked by the United Nations Human Development Index (HDI).

Although overall mortality rates appeared similar across settings at 11%, risk-adjusted analysis showed that patients in the lowest-HDI countries faced more than three times the risk of death compared with those in the highest-HDI group, while the risk in middle-HDI countries was nearly double.

The Global Outcomes After Laparotomy for Trauma (GOAL-Trauma) study was led by the University of Cambridge and carried out by a global network of collaborators. It analysed data from 1,769 patients treated in 187 hospitals across 51 countries, ranging from conflict-affected areas such as the Occupied Palestinian Territories, Ukraine, and Sudan to well-resourced trauma centres in Europe and the United States. All patients had undergone a trauma laparotomy — emergency surgery to repair internal abdominal injuries – as a result of incidents such as road traffic accidents, stabbings, or gunshot wounds.

Among patients who underwent surgery, those in low-HDI countries typically had less severe injuries than those in higher-ranked countries. This suggests that the most critically injured may die before reaching hospital, or that some life-threatening injuries are missed on arrival.

“Our findings point to a survival gap that begins before patients even reach the operating theatre,” said lead author Dr Michael Bath from Cambridge’s Department of Engineering. “This may be because the most seriously injured die before they can access life-saving care, or because limitations in diagnosis mean their injuries go undetected.”

The researchers also found wide disparities in hospital care. For example, access to CT scans before surgery — a critical tool for diagnosing internal injuries — was available in over three-quarters of patients in the more developed settings, but in fewer than one-quarter in the lowest-ranked group.

The researchers say that addressing this survival gap will take more than simply faster transport or greater access to diagnostic tools such as CT scans. They call for coordinated improvements across the entire trauma pathway – from the moment of injury to full recovery – to ensure critically injured patients receive the care they need.

“The GOAL-Trauma study provides for the first time comparable global data on laparotomy for trauma, revealing that similar mortality rates can mask profound inequalities in care pathways,” said co-author Dr Daniel U. Baderhabusha of Hôpital de Kyeshero in the Democratic Republic of Congo. “This information will help design more equitable trauma systems that are better adapted to local realities. It paves the way for strategies that can offer every patient, wherever they live, the best chance of survival and recovery.”

“The GOAL-Trauma study is one of the biggest global studies of trauma care yet published,” said senior author Dr Tom Bashford from the Cambridge’s Department of Engineering and Cambridge University Hospitals Foundation Trust. “It represents a huge effort by a team of partners from across the world, some of whom are practising in the most extreme conditions imaginable and yet still recognise the importance of contributing to international research.”

 

---

Journal

The Lancet Global Health

DOI

10.1016/S2214-109X(25)00303-1 

Article Title

Global variation in patient factors, interventions, and post-operative outcomes for those undergoing trauma laparotomy: an international prospective observational cohort study

Article Publication Date

16-Sep-2025

 

Lack of soap most reported barrier to effective hand hygiene in shared community spaces

Efforts to improve handwashing don’t always include basics of access to soap + water Lack of hand hygiene causes annual 740,000 deaths from diarrhoea or respiratory infections But despite global recognition of its importance governments slow to act on

BMJ Group

Facebook

XLinkedInWeChatBlueskyMessageWhatsAppEmail

A lack of soap is the most often reported barrier to effective hand hygiene—key to curbing the spread of infection—in shared community spaces, such as households, schools, and public places, finds a systematic review of the available research, published in the open access journal BMJ Global Health.

It found that the barriers most often reported concerned physical opportunity, such as the availability of soap; and  lack of motivation—hand hygiene not prioritised, or not habitual practice, for example. On the other hand, the enablers most often reported aligned with motivation in the form of habitual practice and perceived health risk.

A further systematic found that most of the reported efforts to improve handwashing didn’t always address identified barriers or enablers to ensure behavioural sustainability, nor did they fully consider the fundamental resources needed for hand hygiene, such as soap, water, and handwashing facilities. 

“If settings do not already have these critical hand hygiene components in the environment, interventions that seek to improve hand hygiene only through motivation, social pressure, or by increasing knowledge should be reconsidered,” conclude the authors.

The reviews form part of a suite of 5, published in a special supplement to the journal that have informed the World Health Organization (WHO) and UNICEF guidelines on hand hygiene in community settings due to be published October 15 on Global Handwashing Day.  

The guidelines were prompted by the many inconsistencies and lack of sound evidence to support some of the recommended practices contained in current handwashing guidance around the globe. 

The systematic reviews focus on the effectiveness of methods to remove pathogens from the hands; minimum material requirements; behavioural factors; strategies to improve handwashing; and the effectiveness of government measures.

The review looking at what works best for removing and inactivating pathogens, found that most of the evidence assessed capacity to reduce bacteria; just 4% of studies addressed enveloped viruses, such as flu, HIV, respiratory syncytial virus (RSV), and human coronaviruses, and even fewer focused on other pathogens, such as fungi and protozoa. 

Other knowledge gaps included commonly used soap alternatives around the world, such as sand and ash; optimal drying methods; and the impact of microbially contaminated water.

“To formulate strong recommendations for handwashing methods, particularly considering viral pandemic illnesses and community resource restrictions, further research that describes the efficacy and effectiveness of a wider range of methods is critical,” conclude the authors.

In a linked commentary, Joanna Esteves Mills, of WHO’s Water, Sanitation, Hygiene and Health Unit, points out that hand hygiene not only protects health and strengthens community resilience, but it also reduces pressure on health systems by saving resources needed for other health priorities. 

It can also curb the need for antibiotic treatment, so reducing the spread of antimicrobial resistance and the associated deaths and health costs, she adds.

Yet “despite international recognition of its importance, global progress on hand hygiene has consistently failed to measure up to political commitments and pledges,” she writes. 

“There have been gains—between 2015 and 2024, 1.6 billion people gained access to a basic handwashing facility —but in 2024 1.7 billion people still lacked a handwashing facility with soap and water at home and 611 million had no handwashing facility at all,” she adds, citing the latest figures from the WHO/UNICEF Joint Monitoring Programme for Water Supply, Sanitation and Hygiene .

“Achieving universal access by 2030 [a Sustainable Development Goal] would require a doubling in current rates of progress, rising to 11-fold in least developed countries and 8-fold in fragile contexts. Meanwhile, each year, 740,000 people die of diarrhoea or acute respiratory infections that could have been prevented with hand hygiene,” she points out.

The evidence from all 5 systematic reviews points to 3 core principles, she says:

• Access to soap and water and/or alcohol-based sanitisers are minimum material needs which should be any government’s first priority
• People need to know why, when, and how to clean hands
• An enabling  physical and social environment that encourages and motivates sustained practice. In other words, one that is convenient, attractive, and with facilities that are easy to use and which comply with social norms

While governments and international institutions often mobilise rapidly during disease outbreaks, afterwards, budgets are cut, preparedness plans go dormant, and political attention shifts elsewhere, she says, creating a “cycle of panic and neglect.” 

To break this cycle, governments need to strengthen systems that can incorporate hand hygiene into broader health initiatives. But strong leadership will be needed, she insists.

“Most importantly, political leadership requires sufficient investment to deliver change. Although cost-effective and relatively simple, hand hygiene interventions are not always low-cost. In particular, water supply infrastructure requires investment. Governments should not rely on emergency budgets, embedding hand hygiene financing instead in annual health budgets,” she concludes.

---

Journal

BMJ Global Health

DOI

10.1136/bmjgh-2025-018927 

Method of Research

Systematic review

Subject of Research

People

Article Title

ehavioural factors influencing hand hygiene practices across domestic, institutional and public community settings: a systematic review and qualitative meta-synthesis

Article Publication Date

16-Sep-2025

 

A hard look at geoengineering reveals global risks

UCSB scientists find cloud seeding could disrupt El Niño, underscoring the need for caution in climate interventions

University of California - Santa Barbara

Facebook

XLinkedInWeChatBlueskyMessageWhatsAppEmail

 

image: 

The El Niño Southern Oscillation drives major weather patterns across the globe. Disrupting it could have intense and far-reaching ramifications.

view more 

Credit: NASA

(Santa Barbara, Calif.) — With CO2 emissions continuing unabated, an increasing number of policymakers, scientists and environmentalists are considering geoengineering to avert a climate catastrophe. Such interventions could influence everything from rainfall to global food supplies, making the stakes enormous. In brief, manipulating other aspects of Earth’s climate system might reduce some effects of climate change. But the wondrous complexity of our planet complicates every one of these proposals.

Climate scientists at UC Santa Barbara analyzed two approaches that involve reducing the amount of sunlight warming Earth’s surface: cloud seeding over the eastern Pacific and introducing aerosols into the stratosphere. By modeling local effects on the Pacific Ocean, they found that the first strategy would completely disrupt one of the planet’s major climate cycles, the El Niño Southern Oscillation. At the same time, the second would scarcely affect the system at all. The results, published in the journal Earth’s Future, underscore the importance of considering the broad range of consequences that any geoengineering solution may have.

“We need to be careful about implementing geoengineering proposals before we fully understand what’s going to happen,” said first author Chen Xing, a doctoral student at UCSB’s Bren School of Environmental Science & Management.

Xing and fellow Bren grad student Cali Pfleger were curious how geoengineering might impact marine ecosystems. But understanding this requires an account of their effects on the ocean’s climate cycles, chief among them being the El Niño Southern Oscillation (ENSO).

ENSO is a 2- to 7-year climate cycle that shifts the distribution of warm water in the tropical Pacific. This has profound implications for global weather patterns and atmospheric circulation. For instance, El Niño years bring warm waters to the west coasts of the Americas along the equator, causing wet winters in California. In contrast, South and Southeast Asia experience stronger monsoons when the western Pacific heats up in La Niña years.

The two geoengineering proposals the authors evaluated both involve releasing aerosols into the atmosphere; the difference is in what type, and how high up. Cloud seeding, or marine cloud brightening (MCB), involves injecting sea salt within 2 kilometers of the surface to promote more reflective cloud cover over the oceans. Meanwhile, stratospheric aerosol injection (SAI) blocks sunlight farther up by releasing sulfates high in the atmosphere.

Proponents of geoengineering have sometimes targeted the eastern sides of ocean basins (west coasts of the continents) for marine cloud brightening due to their strong effect on global temperature. Unfortunately, the southeastern Pacific in particular seems to have a large influence on ENSO. “Deploying MCB in the subtropical eastern Pacific dramatically reduces ENSO amplitude by approximately 61%,” the authors write.

“It’s hard to get ENSO to change by that much that quickly,” said Associate Professor Samantha Stevenson, who co-authored the study, and is Xing’s and Pfleger’s advisor.

Marine cloud brightening works by creating clouds with more numerous, but smaller droplets. The result is a more reflective cloud that keeps the surface underneath cooler. However, these smaller droplets inhibit raindrop formation, leading to drier conditions with less local rainfall. As this cool air moves into the central Pacific, it reduces the evaporation that drives atmospheric convection, further drying out the region. This cooling and drying of the eastern Pacific strengthens the winds along the equator. The result is drier, cooler, windier conditions in the sky with more upwelling and cooler surface temperatures in the sea. In other words, ENSO crashes.

The authors thought the proposals could have impacts, “but we didn’t expect two-thirds of ENSO’s variance to disappear,” Xing said. The implications seem clear: “Don’t do MCB over the eastern Pacific Ocean because it might cause super strong chain reactions from ENSO’s disappearance.”

In contrast to the severe repercussions of marine cloud brightening, stratospheric aerosol injection had virtually no effect on ENSO. So why the difference?

The answer may have to do with altitude and the spatial distribution of cloud particles. MCB is more concentrated and closer to the surface, while SAI is carried out high in the atmosphere, where the particles are more dispersed. This means that SAI’s cooling influence is more evenly distributed and less disruptive to the tropical Pacific.

However, that doesn’t necessarily mean that all MCB strategies will have such a damaging impact on ENSO. According to Stevenson, these MCB simulations have such an impact because of the nature of this specific spot in the eastern Pacific. “We’re not saying that all MCB is going to kill ENSO. We’re just saying that this happens if you do it in this specific region,” she said. We could carry out marine cloud brightening elsewhere, she added, but we’d need a larger intervention to get the same amount of global cooling.

Of course, taking no action will also have consequences. Runaway climate change will certainly disrupt major natural cycles, ecosystems and social systems. As for ENSO, scientists currently don’t know what will happen to it. But that, itself, is reason for caution. “There’s nothing that compares to the speed with which ENSO would change in these MCB experiments,” Stevenson said. “It just does not naturally drop 60% in 10 years, even under climate change.”

Blocking sunlight from reaching Earth would also lower photosynthetic activity, decreasing the productivity of crops, forests and, crucially, marine algae. Algae form the foundation of the ocean food web and generate around 70% of oxygen in the atmosphere. The team plans to investigate the effects these proposals may have on marine ecosystems.

This study highlights the importance of understanding the nuances and tradeoffs when designing and choosing geoengineering solutions. “Two interventions can get to the same warming target globally and have extremely different regional climate impacts,” Stevenson said. “The most important question is, ‘Are we thinking of all of the potential consequences?’”

---

Journal

Earth's Future

Article Title

Subtropical Marine Cloud Brightening Suppresses the El Niño–Southern Oscillation