A research paper in the Journal of Computer Information Systems says that security awareness training is a necessary complement to technical defenses and security policies, SC Magazine reports. Published by researchers from the University of Sussex and the University of Auckland, the paper acknowledges that technical defenses can help, but they can’t influence the human behavioral responses targeted by social engineering.

Hamidreza Shahbaznezhad, a co-author of the report and senior data scientist in industry at the University of Auckland, said in a press release that technical defenses are helpful but not comprehensive.

“Although technical countermeasures such as anti-phishing and spamming tools, email malware detection and data loss prevention are deployed to mitigate the risk of phishing attacks, using these technologies to detect phishing attacks remains a challenging problem,” Shahbaznezhad said. “This is not least because they often require human intervention to analyze and distinguish between phishing and legitimate emails.”

Dr. Mona Rashidirad, co-author and lecturer in strategy and marketing at the University of Sussex Business School, added that awareness training needs to be factored into organizations’ security budgets.

“Security safeguards alone will not protect a company from phishing scams,” Dr. Rashidirad said. “Organizations and individuals substantially invest in security safeguards to protect the integrity, availability, and confidentiality of information assets. However, our study supports the findings of recent studies that these safeguards are not adequate to provide the ultimate protection of sensitive and confidential information.”

The researchers write that training programs should teach employees how to think about their own behavior, and how attackers can manipulate them.

“Indeed, security practitioners should aim such information security awareness programs to inform users about intrinsic and extrinsic factors which can influence their behavior,” the paper says. “Therefore, employees can be more vigilant to understand how cybersecurity criminals can exploit employee’s perception from different individual/motivational, organizational, and technological perspectives. Employees may need to know about the existing security arsenals alongside with the security risks that could be exploited by malicious attackers.”

Organizations need to implement a combination of technical solutions, security policies, and employee training to combat these threats. New-school security awareness training can enable your employees to defend themselves against social engineering attacks.