A research paper in the Journal of Computer Information Systems says that security awareness training is a necessary complement to technical defenses and security policies, SC Magazine reports. Published by researchers from the University of Sussex and the University of Auckland, the paper acknowledges that technical defenses can help, but they can’t influence the human behavioral responses targeted by social engineering.

Hamidreza Shahbaznezhad, a co-author of the report and senior data scientist in industry at the University of Auckland, said in a press release that technical defenses are helpful but not comprehensive.

“Although technical countermeasures such as anti-phishing and spamming tools, email malware detection and data loss prevention are deployed to mitigate the risk of phishing attacks, using these technologies to detect phishing attacks remains a challenging problem,” Shahbaznezhad said. “This is not least because they often require human intervention to analyze and distinguish between phishing and legitimate emails.”

Dr. Mona Rashidirad, co-author and lecturer in strategy and marketing at the University of Sussex Business School, added that awareness training needs to be factored into organizations’ security budgets.

“Security safeguards alone will not protect a company from phishing scams,” Dr. Rashidirad said. “Organizations and individuals substantially invest in security safeguards to protect the integrity, availability, and confidentiality of information assets. However, our study supports the findings of recent studies that these safeguards are not adequate to provide the ultimate protection of sensitive and confidential information.”

The researchers write that training programs should teach employees how to think about their own behavior, and how attackers can manipulate them.

“Indeed, security practitioners should aim such information security awareness programs to inform users about intrinsic and extrinsic factors which can influence their behavior,” the paper says. “Therefore, employees can be more vigilant to understand how cybersecurity criminals can exploit employee’s perception from different individual/motivational, organizational, and technological perspectives. Employees may need to know about the existing security arsenals alongside with the security risks that could be exploited by malicious attackers.”

Organizations need to implement a combination of technical solutions, security policies, and employee training to combat these threats. New-school security awareness training can enable your employees to defend themselves against social engineering attacks.

This blog originally appeared on KnowBe4.

About the Author

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.