In the world of cybersecurity, phishing is a very real and very serious threat. It’s one of the most common ways that hackers gain access to sensitive data and wreak havoc on businesses. As a result, many companies have turned to phishing simulations as a way to educate their employees on the dangers of phishing and to improve their security awareness.
But not all phishing simulations are created equal. In fact, many of the features that our competitors sell as “must-haves” are actually terrible ideas that we tried and retired a long time ago.
User Exploitation as Part of Security Awareness?
One of the most common features of phishing simulations within the enterprise is landing pages that are designed to determine if users will type in their credentials. At first glance, this might seem like a good idea for identifying vulnerable employees. However, it’s actually a form of exploitation that can lead to a punitive culture within the organization.
The moment a user realizes their mistake, they’re uniquely susceptible to learning. Instead of punishing them, we should be using this moment as an opportunity for just-in-time education. By providing relevant and timely information at the moment of the mistake, we can help employees recognize and avoid phishing attacks in the future.
Interestingly, the physiological response the body goes through at the moment of a mistake can actually help to improve learning outcomes. When we make a mistake, our body goes through a stress response that triggers the release of cortisol. This can help to consolidate memories and improve retention. By providing just-in-time education and training at the moment of the mistake, we can take advantage of this stress response and improve learning outcomes.
Another terrible idea is alerting supervisors every time someone clicks on a phishing simulation. This is a classic example of a punitive culture. Most managers will react with punishment, which can create a hostile and unproductive work environment.
Remedial Binge Training? SMH
Many companies make the mistake of requiring their employees to go through long and tedious training sessions after they fail a phishing simulation. Not only is this approach ineffective, but it can also create a culture of fear and punishment within the organization.
Instead of using this outdated approach, we use spaced learning. Spaced learning is a technique that involves delivering bite-sized pieces of information to employees on a regular basis. Our micro-content is between 20-60 seconds long and is delivered straight to the employees’ inboxes. This approach is much more effective than traditional training methods because it delivers the information in small, digestible chunks that are easy to remember.
By providing information in this way, we can create a culture of security where employees are constantly learning and improving their security awareness. This approach is also more flexible and adaptable than traditional training methods. We can easily update our micro-content to address new threats or vulnerabilities, and we can deliver it to employees at the moment they need it most.
Instead of abusing our users, we need to show them that we’re in this fight with them. We need to change the cyber culture and create the first human firewall. This means taking a different approach to security awareness training.
FIRST, DO NO HARM – The Hippocratic Oath of Security Awareness Training
“First, do no harm” is the guiding principle of all security awareness training. When we cultivate a punitive culture, we’re doing more harm than good. Punishing employees for making mistakes can create a hostile and unproductive work environment where people are afraid to speak up or report potential security issues.
On the other hand, when we encourage and motivate people to change, we create a culture of security where employees are invested in protecting the organization. Instead of punishing employees, we need to help them learn from their mistakes. This means providing just-in-time education and training at the moment of the mistake, rather than requiring employees to go through long and tedious training sessions.
By creating an environment where employees feel comfortable reporting potential security issues, we can identify and address vulnerabilities before they can be exploited by hackers. This requires a culture of trust and openness, where employees feel that their contributions are valued and that they won’t be punished for speaking up.
We MUST Entertain!
Finally, we need to make security awareness training fun and engaging. It’s not enough to just tell people what to do and what not to do. We need to create a culture of security where people are invested in protecting the organization. This means using gamification, rewards, and other creative strategies to make security awareness training more engaging and effective.
In conclusion, there’s a right way and a wrong way to do phishing simulations. The wrong way is to create a culture of fear and punishment. The right way is to create a culture of security where employees are invested in protecting the organization. By following the principles of “First, do no harm” and just-in-time education, we can create the first human firewall and protect our organizations from the dangers of phishing.