Why Phishing Employees Is Important To Building A Mature Security Awareness Program

Phishing simulations are an important component of any awareness education. They provide realistic learning experiences that are proven to surpass the effectiveness of passive educational approaches like courses alone. While arguments can be made against their efficacy, the effectiveness of phishing simulations when used in conjunction with more passive educational approaches like courses or module-based training provide organizations with a layered defense against cyber threats.

While technical defenses of phishing such as email filters are essential, they are not foolproof and phishing simulations aren’t testing those controls. Phishing simulations help identify vulnerabilities at both individual and organizational levels, prompting improvement across the board.

In this blog, we’ll explain why phishing employees is important for building a mature cybersecurity culture within organizations.

Frequency Matters

Critics of phishing simulations argue that annual phishing tests, as are required by many regulatory bodies, are insufficient. We agree that testing resiliency annually is not an adequate representation of an organization’s cyber resiliency, or employees’ ability to spot and stop phishing attacks. Instead, we recommend regular, randomized phishing simulations that provide continuous learning opportunities that more accurately measure risk and resilience.

Without a diverse, randomized and realistic phishing program in place, most people would not be exposed, and by extension prepared, to face the types of phishing simulations that exist. By exposing them to different phishing simulations, they will be better prepared to identify and response to potentially malicious threats. Importantly, the diversity of the simulations and an individual’s understanding that they WILL be phished prepares them not to trust their inbox blindly.

If employees know that a phishing simulation is coming, or if the same simulation is given to everyone at the same time, then it is easy for one employee to alert others, which counteracts if employees can actually identify an attack. While this method may produce high Report Rates and low Click Rates, it is not an accurate representation of an organization’s resiliency. If an employee who typically waits for others in the organization to alert them of a phish is targeted in a real phishing attack, it is likely they will lack the experience and knowledge to identify and report the attack – potentially exposing the organization to a breach.

Real-World, Hands-on Experience

Hands-on experience is more impactful than passive awareness training such as a course on phishing lures when used in isolation. These simulations create an experience where employees must apply skills and knowledge in real time and in real life against not just simulations but all emails. It encourages them to move beyond blindly trusting that their inbox is a safe place and think critically about the emails they receive. This unpredictability as well as placement in someone’s actual inbox is an important component to effective and long-lasting learning because it most accurately reflects what they will experience in real attacks. Remember, in the event of a real attack, no one is going to warn the individual that it’s happening or point out which email is the phish. When people are forced to slow down and be cognizant of what could be in their inbox, it leads to measurable behavior change that effectively reduces risk for organizations.

A recent study found that hands-on experience through realistic phishing simulations significantly enhances employees’ ability to recognize and respond to phishing attempts, making these simulations more effective than theoretical education alone. When employees interact with a phishing simulation, it offers an immediate and impactful learning opportunity through contextual education based on the clicked simulation. This immediate feedback loop reinforces learning more effectively than theoretical training sessions.

Long-Term Learning

To encourage learning retention, a phishing simulation feedback loop should be implemented. The most effective feedback loops should include both positive and negative behavior options. This idea can be traced back to behavioral science and is rooted in the concept of operant conditioning. Operant conditioning is a learning theory developed by B F Skinner which explains how behaviors are influenced by their consequences. An action which has a positive consequence is more likely to be repeated than one with a negative consequence.

In a 2021 research paper, William Yeoh, He Huang, Wang-Sheng Lee, Fadi Al Jafari & Rachel Mansson explored the concept of operant conditioning in the context of phishing simulations. Their research confirmed the use of operant conditioning with phishing simulations and courses enhances someone’s awareness of phishing.

Reinforcing Learning

Organizations that place blame on individuals rather than addressing the organizational-level gaps fail to consider the role of operant conditioning in driving positive security behaviors. Operant conditioning has three key components: reinforcement, punishment and the timing of reinforcement. Reinforcement increases the chances of a behavior being repeated or not depending on whether it is positive or negative.  For example, if every time someone reported a phish to their security team they received a reward, they would be encouraged to continue reporting phishes. On the other hand, if every time someone clicked on a phish, they received supplemental training and their manager was notified, they would be less likely to repeat the behavior.

Another way to look at the concept of punishment is consequences for actions. Punishments can be positive or negative. Positive punishments introduce stimuli and negative punishments take away stimuli.  For example, a positive punishment would be after a certain number of clicked phishing simulations the individual has to meet with their manager to discuss their clicking behavior. A negative punishment could be that after repeated poor cyber behavior certain access privileges are removed or even terminating that person’s employment with the company.

It’s important to remember that punishments should be used sparingly, especially negative ones. We have found that positive punishments, such as remedial training and meetings with managers, can be extremely effective.

Providing Feedback

The final component, the timing of the reinforcement, affects how quickly and how strongly behaviors are learned or stopped. Immediate feedback on an action, whether through praise for correct actions or corrective measures for errors, creates a powerful learning environment. Imagine reporting a suspected phish and hours or days later receiving feedback on whether or not you were correct. You could easily forget what you even reported in that time. However, if you receive feedback within minutes of reporting, you are more likely to remember the interaction and repeat it.

Meeting People Where They Are

Effective phishing simulations should be dynamic and adaptive, avoiding unethical lures and ensuring simulations are relevant and fair. By integrating phishing simulations into a broader, ongoing cybersecurity strategy, organizations can foster a culture of vigilance and resilience, significantly reducing their susceptibility to phishing attacks. A 2019 study highlights that the goal of security awareness is about influencing behavior, not simply sharing knowledge:

“The primary purpose of cyber security-awareness campaigns is to influence the adoption of secure behavior online. However, effective influencing requires more than simply informing people about what they should and should not do: they need, first of all, to accept that the information is relevant, secondly, understand how they ought to respond, and thirdly, be willing to do this in the face of many other demands…”

Sending one-size-fits-all phishing templates to the entire organization regardless of education, experience or maturity does not provide meaningful metrics on risk and resiliency. Instead, organizations should use a dynamic individual approach that uses random phishing templates that increase in difficulty over time. This approach ensures fairness, builds up individual capacity and reduces negative impacts from phishing simulations. Monthly phishing tests using a diverse set of templates and varying difficulty levels, as measured by the NIST Phish Scale, provide a more comprehensive picture of organizational risk and resilience. This continuous assessment is crucial for maintaining a high level of vigilance and adaptability among employees.

A 2017 study found that mindfulness training reduced phishing susceptibility by nearly 30%. This shows how the timing, frequency, and relevancy of education, both for phishing simulations and course-based learning, can effectively reduce risk for an organization and create a mature security awareness program.

Organizations should strive to implement a balanced approach to security awareness that incorporates both ongoing monthly phishing simulations and more traditional, structured learning with courses. By doing so, they can create a mature, resilient security culture capable of adapting to evolving threats. It is important that we continue to invest in research on the effectiveness of phishing simulations so that we can continue to improve their efficacy in reducing risk for organizations.