Press Release


 Few Professionals Are Fully Confident in Ability to Assess the Effectiveness of Their Phishing Defenses 

New guide highlights findings from ISACA phishing survey and offers best practices for improvement

Schaumburg, IL, USA (14 March 2019)—Findings from a recent ISACA survey about strategies for phishing defense showed that only 12 percent of the roughly 1,5000 respondents were completely confident in their ability to assess the effectiveness of their phishing awareness efforts.

In the new paper, Phishing Defense and Governance, released in partnership with Terranova Security, ISACA outlines key takeaways from this phishing research that reached security, assurance, risk and governance professionals, including:

  • Only a slight majority (63 percent) regularly monitor and report on the effectiveness of their activities.
  • 38 percent of respondents reported that their organizations develop security awareness collateral and anti-phishing materials internally.
  • 85 percent of enterprises measure and regularly report on the effectiveness of their phishing awareness programs

There is still a divide when it comes to organizations employing awareness activities such as email newsletters and online and in-person training, when compared to assessments of what employees have learned, through simulations and other knowledge-based tools. Simulation is not a common component of phishing awareness and training, with only 57% of those surveyed saying they perform phishing simulation, and 25% reporting they use other active knowledge-based assessment of employee phishing behavior.

“Current phishing defense strategies and implementation are clearly not hitting the mark,” said Frank Downs, director of cybersecurity practices at ISACA. “Strengthening these defense activities and improving outcomes is within reach, but requires careful planning and execution, and eliminating any gaps in managing and implementing these security awareness initiatives internally and externally.”

Phishing Defense and Governance also examines the potential correlation between joint internal and outsourced collateral development and the increased ability to report and measure on effectiveness, as well as the ways in which external service providers can be used to help support phishing defense. The white paper also provides some main areas of improvement where professionals should focus their attention when seeking to improve their phishing defenses, including:

  • Ensuring the organization has the capability to validate user behavior modification (such as through a phishing simulation)
  • Evaluating the outsourcing or co-sourcing relationships in place and determining where the organization has gaps in the quality of information it is receiving
  • Setting clear goals for improvement and tracking to them

“Phishing attacks continue to grow each year both in number and in cost to organizations globally and countless new phishing scenarios are created every day,” said Theo Zafirakos, CISO at Terranova Security. “While human error continues to prevail as the leading cause of all breaches and security incidents, security professionals agree the most effective way to reduce human risk is with security awareness and phishing simulation training.”

The Phishing Defense and Governance whitepaper can be downloaded for free at For another perspective on phishing, read this ISACA Now blog post, “The C-Suite is the New Main Target of Phishing,” by Harold Walker, CISSP, Phishing Awareness Evangelist, Terranova Security.

About Terranova Security

Terranova Security is a global leader in security awareness training, recognized by Gartner®, with 1000+ successful phishing awareness and security awareness training programs spanning over 6-million users. Terranova Security is committed to partnering with CISOs and security professionals to help reduce human risk and support each organization with a personalized and consultative approach for phishing and awareness training needs. Uniquely positioned to support security leaders govern, manage and measure changes in behavior, Terranova Security provides true flexibility and delivery models for phishing and security awareness training. Learn more:


Now in its 50th anniversary year, ISACA ( is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by information and technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its 460,000 engaged professionals—including its 140,000 members—in information and cybersecurity, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.


Press Contacts

Emily Van Camp, +1.847.385.7223,