AI/OSINT Phishing and Cybersecurity Awareness

This study examined the impact of AI/OSINT-enabled (spear)phishing on organizational cybersecurity awareness compared to conventional phishing exercises and normative training.

The research involved 539 participants in Switzerland (2024–2025) and measured two dimensions of awareness:

• Risk attitudes (via standardized questionnaires)

• Risk behaviors (via controlled phishing simulations across three phases)

Key findings:

• Normative training significantly improved employees’ perceptions and sense of responsibility, strengthening attitudes toward cyber risk.

• AI/OSINT spearphishing produced the strongest behavioral effects, reducing susceptibility by ~60% compared to baseline.

• Conventional phishing achieved similar but weaker improvements, with higher relative cost.

• The European OSINT environment yielded less data than U.S. contexts, limiting AI phish realism, but effectiveness remained substantial.

• Results confirm that training and exposure are complementary: training shifts mindsets, while exposure changes actions.

Conclusion

An integrated approach—combining structured training with realistic phishing exposure—emerges as the most effective strategy for sustainable cyber risk management, and for preparing organizations under frameworks such as NIS2 and the EU AI Act.

Download the full report.