The weakest part of your cybersecurity can be identified by looking at how cyberattacks take place, and how well your defenses stand up. But did you know the answer comes from the year 1885?

While cybersecurity is a constantly moving target, there are some constraints put on threat actors that keep their methods and tactics within a real of possible actions. For example, they need to work within the confines of the operating systems used by the victim organization – which only have so many ways to be exploited and taken advantage of. The same is true for users; with 85% of breaches involving a human element, cybercriminals use a combination of establishing urgency and credibility to convince the potential victim to engage with the threat actor’s malicious content.  And while new phishing themes are constantly being created to align with current events, the tactics feel very much the same; it’s pretty much always click the link, open the attachment, or reply to the email.

So, if it’s really as simple as making sure users don’t interact with malicious email content, why are cyberattacks continuing to flourish? Part of the answer lies with organizations that don’t employ their users to play a role in protecting the organization. If users are educated with Security Awareness Training to be mindful of malicious content in their Inbox, they are likely to interact with and fall for phishing attacks.

But just putting users through this kind of training a few times a year isn’t enough.

The core of the problem is that people forget what they’ve learned. Back in 1885, German psychologist Hermann Ebbinghaus hypothesized that memory retention declines over a very short period of time – something now known as the Forgetting Curve. In as little as just 20 minutes, 40% of what’s been learned has already been forgotten.


Source: The Forgetting Curve

He found that repetition in learning over a period of time (in most cases, repetitions were measured in days) actually increases  the % of knowledge retained. You can see below the impact on the percentage of information retained when the information is re-reviewed over time.


Source: The Forgetting Curve

Applying this to cybersecurity, it becomes clear that a) even if users are put through some form of training, they will forget most or all of what they’ve learned (and will click the malicious link sometime in the future), and b) it takes continual Security Awareness Training to ensure users retain best practices, good cyber hygiene, and a vigilant state of mind when interacting with unsolicited (and potentially malicious) email content.