A new report reveals that two thirds of critical infrastructure employees report a real malicious email attack within first year of training and threat detection behavior is 20 percent higher than the industry average.

The “Human Cyber-Risk Report: Critical Infrastructure” report, released by Hoxhunt, examined human risk in the critical infrastructure sector, analyzed more than 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people participating in security behavior change programs. The research highlights that critical infrastructure employees are comparatively more engaged in organizational security, as their phishing reporting and miss rates indicate.  

The report revealed that 66 percent of active participants in security behavior training programs at critical infrastructure organizations detect and report at least one real malicious email attack within a year of commencing training. Resilience velocity, the speed at which an organization reaches its highest level of actual threat detection behavior, is also 20 percent higher in the critical infrastructure sector, with organizational threat detection rates reaching high points at 10 months, compared to the 12-month average in most other industries.  

Phishing simulation success rates, the act of reporting a simulation and not skipping or failing it, in critical infrastructure is 61 percent higher than the global average after 12 months. In addition, resilience ratios, success rate versus failure rate, is 51 percent higher in critical infrastructure — 10.9 for critical infrastructure compared to the 7.2 global industry average.  

The report also reveals that critical infrastructure employees are most likely to fall victim to spoofed internal organizational communications. While this is the most effective type of phishing attack across most sectors, the study found that these types of attacks induce an 11.4 percent higher failure rate in the critical infrastructure sector compared to global averages. 

The research also highlights that communication, marketing and business development departments are most likely to be victims of phishing attacks. The most resilient departments are finance, sales and legal. These results track with global averages except for the high performance of sales, whose success in critical infrastructure is greater than the global average.