We Polled 1,900 Security Pros: 5 Key Findings

phish alert button | phishing simulations

As we enter the heart of Cybersecurity Awareness Month, we’d like to take another look at five key results from our second annual Global Cybersecurity Awareness Training Study. The survey recorded responses of 1,900 IT and security leaders, CISOs, and worldwide professionals who were asked for their thoughts regarding a series of questions on subjects ranging from security awareness training, cybersecurity preparedness and what types of online attacks present the biggest challenge for employers.

The survey introduced a number of interesting findings, like what makes for good phishing simulations, and how many companies use a phishing button (aka phish alert button).

Yet the report provided little assurance that organizations are doing all they can to avoid falling victim to business email compromise (BEC), ransomware attacks, or other phishing attacks. However, several findings were great news, speaking to cybersecurity awareness training’s overall acceptance. Of course, other numbers hinted at possible conflict within organizations. In this article, we’ll cover some key findings while providing a bit of analysis. Finally, we’ll also take a look at what makes for good phishing simulations, according to real-life security pros. 

Cybersecurity Poll: The Good News

1. 97% have implemented cybersecurity awareness measures.

Other encouraging findings within the category: 96% stated that awareness measures have increased and as many as 97% of those surveyed stated that IT security has improved as a result. This is excellent news of course, underscoring that organizations really “get” the need for awareness training. It also speaks to high acceptance from employees because they too, follow the news and understand that a company’s weakest link usually comes down to one of them. 

And here we get into some mixed news. 

Phish Alert Button | Phishing Simulations

2. Only 43% of companies use a phish alert button.

But the good news is 88% of companies are running phishing simulations. OK, back to phishing buttons. 

A phish alert button is a simple and elegant button that integrates with Outlook, Gmail or other email clients that provides employees a streamlined way of reporting suspected malware attacks. Instead of filing a report or even forwarding an email to an alias, employees simply highlight the email in question and click on the phishing button. This not only makes this task more fun for employees (who doesn’t like pushing buttons?) but it’s also easy. And when things are easy, more people tend to engage. 

For organizations, a phishing button is a great way to stay on top of potential threats. Keep in mind the actual button doesn’t defend any better against malware and other threats. However, making things easy leads to higher engagement which ultimately empowers IT to stay on top of current threats. It also builds in some report-generating automation of sorts. Automating the reporting functionality saves time but also provides IT with a wealth of data about the current threat landscape and how to defend against it.   

3. 20% of organizations conduct more than 7 simulations per year.

When it comes to phishing attacks, frequency matters. If only 20% are conducting more than seven simulations per year, 80% are not. This translates to 4 in 5 employees getting rusty and less cyber aware. In case you were wondering, the ideal amount is at least 12, according to our security awareness team at ThriveDX. 

With over 90% of successful cyberattacks requiring human interaction of some kind, 87% of survey respondents admit that technology alone cannot protect their organizations. In other words, effective IT security is not possible without ongoing employee training. 

This is only logical since by some measures, 95% of successful cyberattacks involve human interaction. As risks evolve and threat landscapes change, so must human understanding of these risks.

Phishing Simulations | Phish Alert Button

Roy Zur is CEO of ThriveDX’s Enterprise Division. “We’re all familiar with endpoint security, email security and cloud security. But I think it’s way past time to have a ‘human factor security’ category. As risks evolve and the threat landscape changes, so must human understanding of these risks.”

Roy contends that human factor security is no different than operating systems and devices issuing updated security patches to plug vulnerabilities as new threats come online. If employees learn what the most common type of phishing attack looks like, their brains should “re-learn” what the most common attack looks like three months later.

So, in this sense there is a big disconnect between the 97% who agree security awareness training is needed and the just 20% who conducted more than seven (7) phishing simulations last year. 

4. Two-thirds (65%) of respondents believe cybersecurity awareness programs need to expand.

87% agreed that advancement cannot be based on technology alone but must also focus on people. This is again a mixed bag, as it suggests a fair number of organizations are “mailing it in” or put another way, checking a box, or doing the bare minimum to achieve compliance. The good news is they’re doing something. The bad news is that two-thirds of them need to do a lot more.

5. Good Phishing Simulations: 5 Factors

  1. The simulation must fit the corporate context, have a local reference, or catch the victim’s attention. In other words, the phishing attack must appear legitimate, like one they may actually encounter.

  2. The phishing attack must be customizable in terms of context and content.

  3. The scenario must still be recognizable as a phishing attack.

  4. The phishing email should appear real, legitimate, and plausible at first glance and should contain the correct operational language.

  5. Individualization (a customized email) is also very important for a successful phishing scenario. 

Whether you want to know how accepted cybersecurity awareness training is, how many organizations would like to expand their programs, the optimal frequency of good phishing simulations or why a phish alert button might be the smartest thing a company can install, ThriveDX’s second annual 2022 Global Cybersecurity Awareness Training Study is full of interesting findings taken from a massive sample of 1,900 cybersecurity professionals.

To download your free copy, visit here

Roy Zur CEO of ThriveDX for Enterprise

Roy Zur is the CEO of ThriveDX‘s Enterprise Division and founder of Cybint Solutions (acquired by ThriveDX in 2021). His background in cybersecurity and intelligence stems from his time as a Major in the Israeli Defense Forces, Cyber Unit 8200. Zur has more than 15 years of experience in developing cybersecurity training and education for organizations globally. Zur also serves as an adjunct professor of risk management in cybersecurity for the MBA-AI program at Reichman University and is the founder and chairman of The Israeli Institute for Policy and Legislation non-profit.

Protect Your Organization from Phishing


Explore More Resources

GitLab Inc. Increases Security Awareness for Development Teams Through New Partnership with Kontra's Cutting-Edge
While digital threats lurk around every corner and blur the lines between attacker and
Explore Ben Kapon's article on merging physical and digital security in SOCs, highlighting the
GitLab Inc. Increases Security Awareness for Development Teams Through New Partnership with Kontra's Cutting-Edge

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Almost There.

Are you ready to gain hands-on experience with the IT industry’s top tools, 
techniques, and technologies?

Take the first step and download the syllabus.

By clicking "Request Info," I consent to be contacted by ThriveDX, including by email, calls, and text messages, (including by autodialer or prerecorded messages) about my educational interests. I understand that my consent to be contacted is not required to enroll. Msg. and data rates may apply.

Contact (212) 448-4485 for more information. I also agree to the Terms of Use and Privacy Policy.

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.
tagging ThriveDX Enterprise on LinkedIn

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content