When it comes to employee awareness training, many organizations opt for phishing testing to gauge the state of their employee awareness. Others choose to phish and then teach via follow-up educational awareness content. Unfortunately, neither strategies are effective if your end goal is to change employee behavior towards phishing attacks.

Set Them Up for Success

Remember that “night-before-exam” anxiety? Most of us remember feeling a little nervous about taking a test; some of us experienced real panic attacks before a big math final, a driver’s license test and other occasions when our performance had been put to the test.

Testing is considered a valid tool to evaluate knowledge and performance after a learning experience has occurred. However, it is not an effective tool to introduce and reinforce the learning itself. In fact, in order to validate a test, it should cover more than one phishing attack scenario. One phishing simulation, which is the common practice with many vendor solutions, will not provide any significant data about risk level or awareness status.

So why do Chief Information Security Officers (CISOs) choose to utilize phishing emails for testing employees awareness, if the real goal is to encourage effective learning and transform employee behavior to lower the risk of real-life phishing attacks?

The simple answer is that testing tools are cheap and can be done as a one-off effort, with very little resources. The more complex answer is that organizations use testing due to their willingness to validate some thesis on the organization risk status, to get buy-in from management or approve awareness program budget.

If the organization’s intent is to foster learning and change employee behavior towards phishing attacks, these five simple principles are essential in establishing an effective phishing training program:

  1. Open and fair communications with all employees: Get your employees on-board by announcing the phishing simulation program kick-off, sharing the concerns regarding phishing risks, explaining the training process and goals.
  2. Learning simulations: Leverage and position the phishing simulations themselves as stimulating triggers to expose organizational weaknesses, as opposed to a trap to fail employees. 
  3. Continuous and Repetitive: These triggers will constantly change and diversify, even though in most cases hacker’s use the same old tricks, so make phishing simulations both continuous and repetitive with a rich variety of triggers.
  4. Immediate Feedback: The best learning happens in the moment of making the mistake when the employee is being exposed to the stimulating trigger - as soon as they click on the phishing simulation email. This approach is best leveraged when the content is dynamic and relevant - specific to each simulation email. 
  5. Data-Driven Training: Employee training should be based on and modified per real-time data, reflecting employee’s learning progress at any given time and adaptive training accordingly. There is no room for guesswork or random efforts when trying to achieve consistent change. 

Don’t Teach. Train.

Teaching is good for learning new academic material - when we need to memorize, process and analyze information. When it comes to changing behavior, there’s a need to train. Training improves reflexes and sharpen intuitions, and builds our memory muscles so we instinctively respond to a certain trigger in the desired manner.

In order to change behavior, there’s a need to re-shape the learning experience itself and keep it dynamic, customized and continuous. This may become a complex and resource-consuming task for CISOs to try to implement themselves.

Think about the training of tennis players. Teaching the theory can never achieve the desired results: building instincts and quick responses to ever-changing play scenarios. The difference lies in the need to make a decision within a fraction of a second and adjust the behavior accordingly versus circumstances which require knowledge that is not necessarily behavioral-based.  

Effective training requires hands-on, continuous, data-driven training that simulates real-life phishing attacks and trains employees on-the-job to truly change behavior and reduce the organizational risk of phishing attacks.