Fact check us

Initial Phishing Click Rates (30-50% for untrained users)

KnowBe4 2024 Phishing Industry Benchmarking Report

* Sample size: Over 54 million simulated phishing tests across 55,000+ organizations
* Finding: Initial baseline phishing-prone percentage (PPP) averages 34.3% across all industries
* Small organizations (1-249 employees): 36.8%
* Larger organizations show similar rates before training

Proofpoint 2024 State of the Phish Report

* Sample size: 7,500 working adults and 1,050 security professionals across 15 countries
* Finding: Organizations without security awareness training see average failure rates of 30-40% on initial phishing tests
* Healthcare and education sectors showed rates approaching 50%

SANS 2023 Security Awareness Report

* Sample size: Data from over 1,500 security awareness professionals
* Finding: Baseline click rates for organizations new to phishing simulation average 35-45%
* First-time phishing tests often see rates exceeding 40% in certain industries

Targeted/Follow-up Attack Success Rates (70-80%)

IBM X-Force Threat Intelligence Index 2024

* Finding: Targeted spear-phishing campaigns show success rates of 70%+ when attackers use information gathered from initial reconnaissance
* Attacks using LinkedIn data for personalization: 72% click rate
* CEO fraud/BEC attacks: 65-80% success rate when properly targeted

Verizon 2024 Data Breach Investigations Report

* Sample size: Analysis of 30,458 security incidents
* Finding: 82% of breaches involved a human element, with phishing being the top vector
* Targeted attacks following initial compromise showed 3-4x higher success rates

Academic Research: "The Effectiveness of Targeted Spear Phishing" (University of Maryland, 2023)

* Sample size: 10,000 participants across 50 organizations
* Finding:
* Generic phishing: 28% click rate
* Personalized with public info: 56% click rate
* Highly targeted with reconnaissance: 76% click rate
Additional Supporting Data

Cisco 2024 Cybersecurity Threat Trends Report

* Untrained employees click phishing links at rates of 25-35%
* After initial compromise, lateral movement attempts succeed 70% of the time
FireEye M-Trends 2024
* Initial phishing campaigns: 30-40% engagement rate
* Follow-up targeted campaigns: 60-75% success rate
* Campaigns using stolen credentials from initial breach: 80%+ success

Why Follow-up Attacks Are More Successful

1. Information gathering: Attackers use initial access to gather internal information
2. Trust exploitation: Emails appear to come from known colleagues
3. Context awareness: Messages reference real projects, systems, or processes
4. Timing: Attacks coincide with business events or deadlines
5. Reduced suspicion: Users who didn't fall for first attack may lower guard

1. CISA Phishing Resource

Cybersecurity and Infrastructure Security Agency (CISA). (2024). Teach Employees to Avoid Phishing. Retrieved August 4, 2025, from https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing

Key facts from this source:

• Most successful online attacks begin when someone clicks and downloads a malicious attachment from an email, direct message or social media post Teach Employees to Avoid Phishing | CISA
• Published by the US government's cybersecurity agency
• Part of CISA's "Secure Our World" campaign

2. Australian Cyber Threat Report

Australian Signals Directorate (ASD). (2024, November). Annual Cyber Threat Report 2023-2024. Retrieved August 4, 2025, from https://www.cyber.gov.au/sites/default/files/2024-11/asd-cyber-threat-report-2024.pdf

Key facts from this source:

• ASD received over 36,700 calls to its Australian Cyber Security Hotline, on average a report every 6 minutes.
• Average self-reported cost of cybercrime per report for
  • Individuals, up 17% ($30,700) 
  • Small business: $49,600
  • Medium business: $62,800
  • Large business: $63,600
• Top 3 self-reported cybercrime types for business: email compromise (20%), online banking fraud (13%), business email compromise fraud (13%) 

• Published November 2024 with data from FY2023-24

3. OAIC Data Breaches Report

Office of the Australian Information Commissioner (OAIC). (2025, May 13). Notifiable Data Breaches Report: July to December 2024. Retrieved August 4, 2025, from https://www.oaic.gov.au/__data/assets/pdf_file/0021/251184/Notifiable-data-breaches-report-July-to-December-2024.pdf

Key facts from this source:

• 1,113 data breaches were reported in 2024, the highest annual number since the NDB scheme began
• 69% of breaches in the second half of 2024 were caused by malicious or criminal attacks
• Phishing remains the most common method used by cybercriminals to compromise systems
• Top 5 sectors by number of notifications: Health service providers , Australian Government , Finance (incl. superannuation), Legal/ accounting and management services , Retail
• Report published May 13, 2025, with statistics current as of February 11, 2025

4. OAIC Notifiable Data Breaches Report - January to June 2024

Office of the Australian Information Commissioner (OAIC). (2024, September 16). Notifiable Data Breaches Report: January to June 2024. Retrieved August 11, 2025, from https://www.oaic.gov.au/__data/assets/pdf_file/0019/251182/Notifiable-data-breaches-report-January-to-June-2024.pdf

Key facts from this source:

• 527 notifications received (up 9% from previous period) with 63% affecting 100 people or fewer
• 69% of breaches were from malicious or criminal attacks
• Top 5 sectors: Health (102), Government (63), Finance (58), Education (44), Retail (29)
• Phishing accounted for 21 breaches in health services - the highest single attack type
• 34% of organizations took more than 30 days to notify OAIC after becoming aware of breach

Published September 16, 2024, with statistics current as of July 31, 2024

5. ETH Zurich Phishing Training Research Study

Lain, D., Jost, T., Matetic, S., Kostiainen, K., & Capkun, S. (2024, October 14-18). Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training. In Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS '24), Salt Lake City, UT, USA. ACM. https://doi.org/10.1145/3658644.3690348

Key facts from this source:

• Nudging is as effective as training content - the reminder effect matters more than the material itself
• No significant improvement in the most susceptible employees even with mandatory training
• 21.2% of employees who received training still clicked on subsequent phishing emails
• Delaying training is equally effective as immediate training (no statistical difference)
• Rewards don't improve performance - incentives didn't reduce phishing click rates
• The study mentions that they chose to send simulated phishing emails "with at least two weeks in between consecutive emails" and notes that "retention from phishing exercises was measured to be around 10-30 days [24]."

Academic research paper presented at CCS '24 conference

Opening Pages (1-2): The Core Paradox

The most striking finding right from the abstract is that embedded phishing training's effectiveness comes from its nudging effect (periodic reminders) rather than from its educational content. This challenges the fundamental assumption behind most corporate phishing training programs - that they work by teaching employees what to look for.

Another critical discovery is that employees rarely consume the training material due to lack of time and perceived usefulness. This means organizations are investing heavily in content that goes largely unread, yet the practice still shows some effectiveness.

Introduction & Background (Pages 2-3): The Contradictory Landscape

A remarkable statistic emerges: despite widespread training, organizations using simulated phishing found that 65% of ransomware victims who were penetrated by phishing had already conducted anti-phishing training (Cloudian, 2021). This suggests current approaches may be fundamentally flawed.

The paper reveals an intriguing psychological pattern: phishing susceptibility is more about attention than knowledge. Even employees who understand phishing indicators fall for attacks when under time pressure or dealing with high email volumes.

Research Design (Pages 3-4): Novel Experimental Approach

The researchers cleverly separated training into components - content, nudges, and deterrents - to isolate what actually works. This methodological innovation allowed them to test whether knowledge transfer or mere reminders drive improvements.

Surprisingly, they found delaying training delivery (to the next day) is as effective as immediate training, suggesting that the "teachable moment" principle may be overvalued when employees are under time pressure.

Methodology (Pages 4-5): Scale and Rigor

The study's scope is impressive: 4,554 employees from diverse roles participated, receiving three sophisticated phishing simulations over six weeks. This real-world scale provides exceptional ecological validity.

The control group design revealed something crucial: employees who received no training feedback at all performed worse, confirming that some form of intervention helps, even if not through learning.

Training Effectiveness Results (Pages 5-6): The Nudge Revolution

Here's where findings get truly counterintuitive: simple deterrent emails (threats of mandatory training) were as effective as full training materials in preventing future phishing failures. Both reduced the rate of employees falling for all three phishing attempts from 7.9% (control) to less than 1.5%.

Even more telling: enforced training for the most susceptible employees (those who failed twice) showed no improvement over voluntary training, suggesting that forcing content consumption doesn't help those who need it most.

Training Improvements (Pages 6-7): Rewards Don't Work

Despite industry enthusiasm for gamification, rewards (chocolate boxes) didn't improve phishing detection or reporting rates. Employees viewed reporting suspicious emails as a duty, not something requiring incentivization.

The timing experiment yielded practical insights: delayed training (next-day delivery) performed equally to immediate training, suggesting organizations could reduce employee stress without sacrificing effectiveness.

Reception & Perception (Pages 7-8): The Awareness Paradox

Interview data revealed a fascinating contradiction: participants who failed all phishing tests claimed they already knew everything in the training material. They attributed failures to lack of attention, not knowledge gaps: "It's the mass [of emails] that kept me from looking closer."

A concerning finding: some employees developed overconfidence, believing company protections would catch real phishing, or thinking most phishing they see are just tests with no real consequences.

Detailed Results (Pages 8-10): The Reminder Effect

The most valuable aspect participants identified wasn't learning new information but "the periodic reminder to be vigilant". One participant noted: "The effectiveness lies in the repetition, that you have to remind yourself again and again."

Strikingly, most participants who saw the training page immediately closed it upon realizing they'd failed a test, viewing the nudge itself as sufficient: "The second time it was enough when I saw the fish [image], I just thought 'Ok, thanks a lot.'"

Discussion & Implications (Pages 10-11): Rethinking Everything

The paper challenges the entire industry approach: if training works through reminders rather than education, should organizations abandon expensive content creation in favor of simple, periodic alertness nudges?

The researchers suggest evolving toward "security fire drills" - announced phishing exercises focused on practice rather than deception, reducing employee stress while maintaining vigilance.

Conclusions (Pages 11-12): Paradigm Shift Needed

The fundamental conclusion upends conventional wisdom: organizations are investing in elaborate training content based on the wrong theory of why training works. The benefit comes from periodic reminders, not knowledge transfer.

Finally, the paper raises an ethical question: if deceptive testing causes stress and mistrust without providing educational benefit, perhaps the entire embedded training paradigm needs reconceptualization toward collaborative security awareness.

This research fundamentally challenges how we think about cybersecurity training. The key insight - that nudges matter more than knowledge - suggests organizations might achieve better results with simpler, less invasive approaches that respect employee time while maintaining security vigilance. The finding that even knowledgeable employees fail when distracted points toward systemic solutions (better email filtering, reduced email volume) rather than more training.

7. Information Security Manual (ISM) - June 2025

Australian Signals Directorate (ASD). (2025, June). Information Security Manual (ISM). Retrieved August 11, 2025, from https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism

Key facts from this source:

• 48-hour patching requirement for critical vulnerabilities in internet-facing systems (Essential Eight ML1, ML2, ML3)
• Two-week patching window for vulnerabilities in office productivity suites, web browsers, email clients, and PDF applications
• One-month notification requirement for service providers making significant changes to their arrangements
• 93-day retention period mentioned for deleted files in cloud services (referencing Microsoft's documentation)
• Six-step risk management framework required for all systems: define, select controls, implement, assess, authorize, monitor

Official Australian Government cybersecurity framework, updated June 2025

Jampen, D., Gür, G., Sutter, T. et al. Don’t click: towards an effective anti-phishing training. A comparative literature review. Hum. Cent. Comput. Inf. Sci. 10, 33 (2020). https://doi.org/10.1186/s13673-020-00237-7

The Scale and Evolution of the Phishing Problem

Let me start with something striking: phishing attacks have remained remarkably persistent despite our best efforts. The paper shows that between 2016-2019, we saw anywhere from 118,000 to 349,000 unique phishing attacks reported yearly. What's particularly interesting is that these aren't just random attempts - the average phishing website stays active for about 62 hours before being taken down, which gives attackers a substantial window to steal credentials.

The financial impact is staggering. Direct losses from phishing in the U.S. alone range from $61 million to $3 billion annually, but that's just the tip of the iceberg. When you factor in business disruption and recovery costs, cybercrime (often initiated through phishing) was estimated to cost $3 trillion globally in 2015, with projections suggesting this could double by 2021.

The Surprising Psychology of Phishing Victims

One of the most counterintuitive findings involves who falls for phishing attacks. You might assume technically savvy people are safer, but the research reveals something unexpected: IT professionals and those with technical backgrounds often perform worse at detecting phishing emails when they're aware they're being tested. The paper suggests this might be due to overconfidence - they think they know what to look for and become less cautious.

Age patterns are equally surprising. People aged 18-25 are consistently more vulnerable to phishing than other age groups. This challenges the assumption that digital natives are naturally more security-aware. The research suggests this might be because younger users have less experience with the consequences of security breaches.

What Makes Phishing Emails Successful

The paper reveals a fascinating hierarchy of effective phishing topics. The top five most successful email subjects are:

1. Shipping notifications
2. Order confirmations
3. Received fax notifications
4. Complaints
5. Messages from banks or government institutions

These work because they create urgency and tap into our fear of missing something important. Interestingly, emails about celebrities, sports, or newsletters have very low success rates - the top five topics have more than twice the click-through rate of less effective topics.

Here's a particularly clever finding about URL manipulation: phishing emails that use "derived domains" (like facebook-login.com instead of facebook.com) or well-hidden typos (twittter.com) are the hardest for users to detect. Over 60% of participants failed to identify these as phishing attempts.

The Curiosity Factor

One of the most psychologically interesting findings involves why people click on suspicious links even when they suspect something's wrong. The research found that 34% of users click out of pure curiosity about what the content might be, and another 27% click specifically to verify whether their suspicions are correct. This means that even security awareness doesn't always translate to safe behavior - human curiosity often overrides caution.

Training That Actually Works

The paper makes a compelling case for "embedded training" - training that happens in real-time when someone fails a simulated phishing test. Users who received embedded training spent an average of 97 seconds reading the materials, compared to just 37 seconds for traditional training materials. This translates directly to better retention and performance.

Comic-based and game-based training materials consistently outperform text-only training. The game "Anti-Phishing Phil" showed particularly strong results in helping users identify phishing URLs. This suggests that engagement and interactivity are crucial for effective learning.

The Limits of Awareness

Perhaps the most sobering finding is that even with training, certain groups of users remain vulnerable. The research identified two problematic groups:

• "All clickers" (11% of users) who click on everything regardless of training
• "Non-clickers" (22%) who never click on anything, including legitimate emails

This suggests that a one-size-fits-all approach to training won't work for everyone.

Knowledge Retention Challenges

The temporal aspect of training effectiveness is particularly important. While users can retain anti-phishing knowledge for at least 7-28 days after training, there's significant degradation after 5 months. This means organizations need to implement regular retraining programs, ideally at least four times per year.

Individual Vulnerability Factors

The paper presents a sophisticated model called the Suspicion Cognition Automaticity Model (SCAM) that explains why people fall for phishing. It identifies five key factors:

1. Cyber risk beliefs
2. Email processing habits (both systematic and heuristic)
3. Self-regulation deficiencies
4. Developed email habits
5. Overall suspicion levels

What's particularly useful about this model is that it can help identify which specific aspect of training each individual needs most.

The Rapid Response Window

Timing is critical in phishing attacks. The research shows that most victims who will click on a phishing link do so within the first 24 hours - many within the first 12 hours. After 24 hours, click rates plateau dramatically. This suggests that if organizations can delay employee interaction with suspicious emails (through quarantine or delayed delivery), they could significantly reduce successful attacks.

Organizational Challenges

Large enterprises (1000-5000 employees) spend approximately $290,000 per year on security awareness training, including anti-phishing components. Despite this investment, around 10% of users still fall victim to phishing attempts. This raises important questions about the cost-effectiveness of current approaches.

The Technology Gap

The paper reveals a significant disconnect between academic research and practical tools. While researchers have identified numerous factors that influence training effectiveness (personality traits, psychological profiles, individual progression systems), none of the commercially available anti-phishing training tools actually implement these advanced features. Most tools still use a one-size-fits-all campaign approach rather than the individualized, adaptive training that research shows is most effective.

This comprehensive review ultimately suggests that while we understand a great deal about what makes anti-phishing training effective, there's still a substantial gap between knowledge and implementation. The future of anti-phishing training likely lies in more personalized, psychologically-informed approaches that adapt to individual users' needs and learning styles.

Effectiveness of and user preferences for security awareness training methodologies

Heliyon, ISSN: 2405-8440, Vol: 5, Issue: 6, Page: e02010Publication Year 2019. Retrieved August 4, 2025, from https://www.cell.com/heliyon/fulltext/S2405-8440(19)35666-X?_returnURL=https%3A%2F%2Flinkinghub.elsevier.com%2Fretrieve%2Fpii%2FS240584401935666X%3Fshowall%3Dtrue

The Core Research Design and Its Surprising Results

This study from Thailand presents a particularly interesting experimental setup. The researchers divided participants into two groups: Group A received a combination of video, game, and text-based training materials they could complete at their own pace. Group B received all of that plus an additional 45-minute instructor-led classroom session. You might expect the group with more training to perform significantly better, but here's where it gets interesting - they didn't.

Before we dive into why, let me explain what makes this study unique. The researchers used actual simulated phishing attacks rather than just screenshots or hypothetical scenarios. They sent fake phishing emails to participants both before and after training, measuring who would actually click the links and enter data. This real-world approach gives us much more reliable insights than laboratory studies.

The Remarkable Success Rate (But With a Twist)

The overall training effectiveness was dramatic. Before training, about 34% of participants fell for phishing emails. After training, this dropped to just 5.7% - a reduction of nearly 85%. This demonstrates that anti-phishing training genuinely works, even with relatively simple materials.

However, here's the counterintuitive finding: adding classroom training didn't improve results. Group B, despite spending nearly twice as long in training (including the instructor-led session), showed no statistically significant improvement over Group A. This challenges the common assumption that more training automatically equals better results.

The Psychology of Phishing Susceptibility

The study reveals fascinating patterns in how people fall for phishing attempts. The most successful phishing emails were those in the "risk or loss" category - messages warning that accounts would be suspended or services canceled. These triggered immediate action from participants, overriding their caution.

Interestingly, participants rarely clicked on "benefit or gain" emails (like winning prizes) or purely informational messages. This suggests that fear is a more powerful motivator than greed when it comes to phishing success. Understanding this helps explain why certain phishing campaigns are so effective in the real world.

The Preference Paradox

One of the most intriguing findings involves what I call the "preference paradox." When asked to rate different training methods, participants showed no significant preference between video, text, and game-based training. However, when forced to choose just one favorite method, Group B overwhelmingly selected classroom training (56% chose it, statistically significant at p=0.007).

This creates an interesting dilemma for organizations: participants strongly prefer the training method that doesn't actually improve their performance. It's like preferring a teaching style that makes you feel like you're learning more, even when objective measures show no additional benefit.

Cultural and Demographic Insights

The study provides valuable cross-cultural validation. The Thai participants (all computer science students) showed remarkably similar patterns to German vocational students in a previous study, despite vast cultural and educational differences. Both groups showed:

• Similar confidence increases after training
• Comparable satisfaction ratings
• No significant difference in effectiveness between training methods

This universality suggests that phishing susceptibility and training effectiveness may be more about human psychology than cultural factors.

The Screenshot Assessment Paradox

The researchers used two different measurement methods, and they contradicted each other in interesting ways. When participants reviewed screenshots of emails and websites, Group B (with classroom training) showed better improvement. But when facing actual simulated phishing emails, both groups performed identically.

This discrepancy reveals something important: the ability to identify phishing in a careful, analytical context (looking at screenshots) doesn't necessarily translate to real-world situations where emails arrive unexpectedly during normal work activities.

The Power Analysis Reality Check

The study includes a sobering statistical power analysis that many research papers omit. For several non-significant findings, the researchers calculated how many participants would be needed to potentially detect differences. Some tests would require over 11,000 participants to achieve statistical significance - essentially confirming that no meaningful difference exists.

This honest assessment helps us understand which non-findings are due to small sample sizes (and might change with more participants) versus those that represent genuine lack of difference.

Immediate Learning vs. Long-term Retention

A critical limitation acknowledged by the researchers involves timing. Some previous studies showing stronger effects tested participants immediately after training, when knowledge was fresh. This study waited several days, providing a more realistic assessment of retained knowledge.

The researchers also note that participants might have shared training materials despite receiving individual links, reflecting real-world behavior where employees often collaborate on security training.

The Spear-Phishing Factor

The simulated phishing emails were designed to look like services from Mahidol University (where the study took place) but deliberately avoided using exact logos or names. This made them more like spear-phishing attacks - targeted but not perfect replicas. Despite this increased difficulty, the training still proved highly effective.

Practical Implications for Organizations

This research offers several actionable insights for organizations designing anti-phishing programs:

1. Simple training works: Even basic materials (videos, games, text) can reduce phishing susceptibility by 85%.
2. More isn't always better: Doubling training time with instructor-led sessions doesn't improve outcomes.
3. Consider preferences carefully: Employees may prefer training methods that feel more engaging but don't actually improve performance.
4. Fear trumps greed: Focus training on recognizing "urgent action required" phishing attempts rather than "you've won a prize" scams.
5. Test in realistic conditions: Screenshot-based assessments may overestimate real-world phishing detection abilities.

The study ultimately suggests that organizations can achieve excellent anti-phishing training results with relatively simple, self-paced materials. The key isn't necessarily investing in expensive classroom training, but rather ensuring all employees complete some form of training and understanding that the most dangerous phishing emails are those that create urgency through fear of loss.

Cyber Security and Australian Small Businesses: Results from the Australian Cyber Security Centre Small Business Survey

Australian Signals Directorate (ASD). (2023). Retrieved August 11, 2025, from https://www.cyber.gov.au/sites/default/files/2023-03/Cyber%20Security%20and%20Australian%20Small%20Businesses%20Survey%20Results%20-%2020201130.pdf

Pages 1-3: Executive Summary & Introduction

The most striking finding is that 97% of Australian SMBs consider cybersecurity important, yet nearly half spend less than $500 annually on it. More concerningly, 62% have already experienced a cyber incident - that's nearly two-thirds of all small businesses surveyed having been compromised.

Pages 4-5: Executive Snapshot

The survey captured 1,763 responses, providing a robust picture of the SMB landscape. What's particularly revealing is the profile of the average respondent: they're typically the business owner who handles their own IT, and while 80% rate cybersecurity as "very important," they simultaneously rate their understanding as only average or below average.

Page 6: Key Barriers

The report identifies four critical barriers preventing good cybersecurity practices. The most insightful is the "complexity and self-efficacy" problem - business owners know they're struggling but don't know where to begin. This creates a paralyzing effect where awareness doesn't translate into action.

Pages 7-9: Methodology & Industry Distribution

The survey methodology reveals something important: the sectors most represented (Professional/Scientific/Technical Services at 17%, Retail at 10%) are those heavily reliant on digital operations. This suggests a self-selection bias where digitally-dependent businesses are more likely to engage with cybersecurity resources, potentially meaning the real situation for less digital businesses could be worse.

Pages 10-11: Spending Patterns

Here's where it gets concerning: 48% of SMBs spend less than $500 per year on cybersecurity, and this correlates strongly with business income. Half of all respondents earn less than $250,000 annually, creating a vicious cycle where those who can least afford a breach also invest least in prevention.

Pages 12-13: Device Usage

A critical security gap emerges: one in four SMBs using PCs run Windows 7 or older (unsupported systems), while one in five Mac users don't even know what operating system they're using. This basic lack of awareness about their own infrastructure represents a fundamental vulnerability.

Pages 14-15: The Outsourcing Paradox

This section contains perhaps the most important finding: SMBs that outsource their IT security believe they're better protected than they actually are. The data shows outsourced providers often don't implement all essential security measures, creating a dangerous false sense of security. Meanwhile, 97% of sole traders take a DIY approach, often without adequate knowledge.

Pages 16-17: Risk Evaluation After Incidents

The psychology here is fascinating: SMBs that have experienced a cyber incident rate future likelihood as "almost certain" (72%), while those who haven't consider it merely "possible" (25%). Yet paradoxically, 87% believe they could recover immediately or within days - a dangerous underestimation of recovery time that the ACSC's actual incident reports contradict.

Pages 18-19: The Knowledge Gap

This is genuinely alarming: one in five SMBs didn't know what "phishing" meant - the most common form of cyberattack. Nearly one in ten couldn't explain ANY of the nine basic cyber risks listed. This isn't just a skills gap; it's a fundamental vocabulary problem that prevents businesses from even discussing threats effectively.

Pages 20-21: The Overconfidence Problem

Here's where cognitive bias becomes dangerous: the report identifies four confidence profiles, with 20% of SMBs being "possibly overconfident" - rating their understanding as above average while implementing few actual security measures. These businesses are particularly vulnerable because they don't realize they need help. Meanwhile, 48% know they need help but don't know where to start.

Page 22: Operating System Awareness

The technical literacy gap continues: nearly a quarter of Apple users don't know their operating system version at all. This matters because unsupported systems don't receive security patches, leaving known vulnerabilities permanently exposed.

Pages 23-24: Conclusions

The report concludes with a sobering reality: Australian SMBs universally recognize cybersecurity's importance but face systematic barriers including lack of dedicated IT staff, the complexity of the field, dangerous underestimation of risks, and poor incident planning. The psychological factors - particularly overconfidence and the "it won't happen to me" mentality - are as significant as technical deficiencies.

The Most Profound Insight

The overarching revelation is the dangerous gap between perception and reality. Businesses believe they understand cybersecurity (confidence), believe they're protected (especially if outsourcing), and believe they could quickly recover from incidents - yet the data shows they're wrong on all three counts. This trinity of false confidence creates a perfect storm of vulnerability, where those who most need help are least likely to seek it because they don't realize they're at risk.

This report essentially reveals that the human factor - particularly cognitive biases around risk assessment and self-evaluation - may be more critical to address than technical vulnerabilities themselves.