Phishing, probably one of the oldest tricks in the book of cybercrime, is still very much in play. Despite efforts made by organizations and governments over these past years (from the context of awareness), the Fed’s security agency pegs 90% of all cyberattacks on phishing. This is because phishing relies on exploiting the human element (negligence and deception) that can neither be programmed, predicted nor foiled by technology alone. 

But not all is doom and gloom. Empirical evidence suggests that employees who receive security awareness training are far better at recognizing security threats than those that haven't received any form of structured training. 

But building an effective behavior awareness program doesn’t mean exposing employees to cybersecurity related material or information. Instead, organizations must invest in building muscle memory and a healthy form of skepticism via intentional and methodical real-world simulations where employees are frequently exposed to security situations and can train their security reflexes by exhibiting their secure behavior. 

The five tips outlined below can help organizations create a positive anti-phishing behavior management program:

1) Give Your Program A Positive Tone: A positive tone from the top always helps change the attitude and acceptance of employees towards the program. On the contrary, if employees feel that the program is meant to trick them and make them fail, they will consider the security team an adversary. For training to be effective, people must want to learn, and this can only happen when the overall environment is healthy and transparent. Be extra careful not to heap shame on employees if they fail a test. Focus on why these tests are important and what could’ve been done differently.

2) Make It Interactive and Engaging: Who says training can’t be fun? Use of gamification and innovative interactions can greatly boost enthusiasm and participation in training programs. Fun tutors or lessons, high quality content and incentives can greatly boost participation. 

3) Empower Employees: Training mustn’t be a checkbox activity carried out once a year. It must be brief, focused and run frequently. Simulations must feature the latest trends and tactics used by cybercriminals so that employees are up to date with the latest ploys used by fraudsters. Offer them tools to report phishing emails (such as a “Phish Alert” Button or “Report a Suspicious Email” button) that displays a congratulatory message if they successfully detect a phishing attempt. Provide them with a hotline or easy access to the security team and ensure their feedback is taken seriously. Many users are hesitant to report phishing activity because of lack of transparency in the IT process and lack of swift responses.

4) Train on Individual Competency: Each employee is unique and has different levels of security skills, awareness and competency. There will be some who will never fall victim to phishing attacks while others might be repeat offenders. Because employees have different levels of security maturity, it might be useful to train specific employee groups on the level of their competence. Just like one cannot expect a grade school student to have the same level of competence as a high school student, organizations cannot have the same level of training across the board. 

5) Phish Frequently: Frequent simulation tests lets employees know the business takes security (and their own privacy) seriously and how training and simulations are standard practice and part of the organization's security culture. For anti-phishing behavior to be effective, employees must feel on-guard for the next phish in their inbox so they can demonstrate their understanding and alignment with the organization’s security goals.


Steer Clear of Common Phishing Program Mistakes

Here are common mistakes to avoid when crafting an anti-phishing behavior management program:

  1. Avoid singling out users, reprimanding employees and making a public example of them.
  2. Avoid sending a phishing campaign once a quarter. That’s just the baseline. Phishing tests should run more frequently, at least once a month.
  3. Avoid using the same templates or similar schedules to phish your employees. Don’t make your program predictable.
  4. Avoid starting out with templates that are extremely difficult. Start with the easier ones and scale up as you go. Let employees savor the sweetness of success, this will help secure buy-in and acceptance of your program.
  5. Make the program engaging and interactive; never force the program onto users. Leverage the connection and influence managers and leaders have on their team members.
  6. Report positive results and success of the program to employees and key stakeholders.


Not having good tools, processes or procedures that help empower employees can be detrimental to your security program. Historically, cybersecurity was perceived as a technology problem, not a human one. It should evolve from human-as-a-problem to human-as-a-solution.