Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

5 tips for building a positive anti-phishing behavior management program

By Stu Sjouwerman
phishing-freepik1170x658v4.jpg
February 17, 2022

Phishing, probably one of the oldest tricks in the book of cybercrime, is still very much in play. Despite efforts made by organizations and governments over these past years (from the context of awareness), the Fed’s security agency pegs 90% of all cyberattacks on phishing. This is because phishing relies on exploiting the human element (negligence and deception) that can neither be programmed, predicted nor foiled by technology alone. 

But not all is doom and gloom. Empirical evidence suggests that employees who receive security awareness training are far better at recognizing security threats than those that haven't received any form of structured training. 

But building an effective behavior awareness program doesn’t mean exposing employees to cybersecurity related material or information. Instead, organizations must invest in building muscle memory and a healthy form of skepticism via intentional and methodical real-world simulations where employees are frequently exposed to security situations and can train their security reflexes by exhibiting their secure behavior. 

The five tips outlined below can help organizations create a positive anti-phishing behavior management program:

1) Give Your Program A Positive Tone: A positive tone from the top always helps change the attitude and acceptance of employees towards the program. On the contrary, if employees feel that the program is meant to trick them and make them fail, they will consider the security team an adversary. For training to be effective, people must want to learn, and this can only happen when the overall environment is healthy and transparent. Be extra careful not to heap shame on employees if they fail a test. Focus on why these tests are important and what could’ve been done differently.

2) Make It Interactive and Engaging: Who says training can’t be fun? Use of gamification and innovative interactions can greatly boost enthusiasm and participation in training programs. Fun tutors or lessons, high quality content and incentives can greatly boost participation. 

3) Empower Employees: Training mustn’t be a checkbox activity carried out once a year. It must be brief, focused and run frequently. Simulations must feature the latest trends and tactics used by cybercriminals so that employees are up to date with the latest ploys used by fraudsters. Offer them tools to report phishing emails (such as a “Phish Alert” Button or “Report a Suspicious Email” button) that displays a congratulatory message if they successfully detect a phishing attempt. Provide them with a hotline or easy access to the security team and ensure their feedback is taken seriously. Many users are hesitant to report phishing activity because of lack of transparency in the IT process and lack of swift responses.

4) Train on Individual Competency: Each employee is unique and has different levels of security skills, awareness and competency. There will be some who will never fall victim to phishing attacks while others might be repeat offenders. Because employees have different levels of security maturity, it might be useful to train specific employee groups on the level of their competence. Just like one cannot expect a grade school student to have the same level of competence as a high school student, organizations cannot have the same level of training across the board. 

5) Phish Frequently: Frequent simulation tests lets employees know the business takes security (and their own privacy) seriously and how training and simulations are standard practice and part of the organization's security culture. For anti-phishing behavior to be effective, employees must feel on-guard for the next phish in their inbox so they can demonstrate their understanding and alignment with the organization’s security goals.

 

Steer Clear of Common Phishing Program Mistakes

Here are common mistakes to avoid when crafting an anti-phishing behavior management program:

  1. Avoid singling out users, reprimanding employees and making a public example of them.
  2. Avoid sending a phishing campaign once a quarter. That’s just the baseline. Phishing tests should run more frequently, at least once a month.
  3. Avoid using the same templates or similar schedules to phish your employees. Don’t make your program predictable.
  4. Avoid starting out with templates that are extremely difficult. Start with the easier ones and scale up as you go. Let employees savor the sweetness of success, this will help secure buy-in and acceptance of your program.
  5. Make the program engaging and interactive; never force the program onto users. Leverage the connection and influence managers and leaders have on their team members.
  6. Report positive results and success of the program to employees and key stakeholders.

 

Not having good tools, processes or procedures that help empower employees can be detrimental to your security program. Historically, cybersecurity was perceived as a technology problem, not a human one. It should evolve from human-as-a-problem to human-as-a-solution.

KEYWORDS: cyber security information security phishing risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

New stu sjouwerman ceo knowbe4

Stu Sjouwerman is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at ssjouwerman@knowbe4.com.

 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Virus Detected

    5 reasons why scams survive, thrive, and succeed

    See More
  • data-privacy-freepik1170x6.jpg

    Data privacy in 2022: Four recommendations for businesses and consumers

    See More
  • cyber-password-freepik1170x658v4.jpg

    Four ways cybercriminals can hack passwords

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing