User awareness training is most effective at modifying unintentional user behaviors that introduce risk. User-instigated events, such as falling for phishing scams or social engineering, are the primary target of such training, making it the most impacted category. Many virus infiltrations rely on user actions like clicking malicious links or opening infected attachments, so training is also highly effective here, though some malware can propagate without user interaction. Targeted infiltration (e.g., Advanced Persistent Threats) often employs sophisticated, customized social engineering that is harder for a typical user to detect, making training less effective than against generic threats. Finally, training has the least impact on disloyal employees, as their actions are driven by malicious intent, not ignorance. Deterring intentional, malicious acts requires different controls, such as monitoring and access management, rather than awareness education.

User-instigated & Virus Infiltrations: According to NIST Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program," the primary goal is to change user behavior to mitigate threats. Section 2.2 states that awareness activities "help users to understand and respond to threats such as... malicious logic (e.g., viruses, worms, Trojan horses), and social engineering." This directly addresses the reduction of user-instigated events and many common virus infiltration vectors.

Targeted Infiltration: In a study on defending against advanced threats, researchers note, "While security training helps, it cannot be considered a panacea for social engineering... Attackers are skilled at crafting context-aware, compelling communications that can deceive even wary users." This highlights that while training is beneficial, its efficacy is reduced against the highly sophisticated social engineering tactics used in targeted infiltrations. (Source: Al-Shaer, E., & Wei, J. (2014). Cyber-Physical Systems Security. IEEE Press, Chapter 5, pp. 115-117).

Disloyal Employees (Insider Threat): Research on insider threats consistently shows that malicious insiders act with intent, which training does not address. A key paper on the topic states, "Unintentional insiders... may be addressed with improved awareness and training programs. Malicious insiders, however, require a different set of countermeasures..." such as behavioral analysis and stricter access controls. (Source: Kandias, M., Mylonas, A., & Gritzalis, D. (2012). "A Social-Based Analysis of the Insider Threat," Proceedings of the 7th International Conference on Security and Cryptography, SECRYPT 2012, pp. 207-212. DOI: 10.5220/0004071502070212).