Employee phishing tests have gained popularity as a way for organisations to gauge how vulnerable their employees are to phishing attacks and improve their awareness of cybersecurity.

However, some have questioned whether it is appropriate to use fear, shame and betrayal as methods when employees fail these simulated phishing tests. Some argue that employing a positive reinforcement approach may lead to more effective outcomes.

Anna Collard, senior vice-president: content strategy and evangelist at cybersecurity training organisation KnowBe4 Africa, had believed that she was immune to being fooled by a phishing test–until it actually happened. She clicked on an email because she was distracted and it looked completely legitimate.

“I was in an Uber, checking my emails as I chatted to the driver,” recalls Collard. She saw an email supposedly from Uber asking her to update her account details. “It was an incredible coincidence that I was in an Uber at the time, so without hesitating, I clicked on it.”

Ultimately, she had to undergo the very cybersecurity training program she had designed.

Why do employees click on phishing emails?

According to a recent study, at least 14% of employees regularly click on phishing emails. Collard’s experience shows that employees are overwhelmed or distracted, and that leads to successful phishing attacks, rather than just a lack of training.

Another study conducted in the UK and US in 2020 revealed that 45% of employees click on phishing emails because of distractions. Employees may also fall for phishing emails if they appear to be from a senior figure in the company or a reputable brand.

“Phish testing is critical because the threat of a data breach for companies is very real,” Collard says. “It allows organisations to see how their employees respond when exposed to realistic yet fake phishing emails.”

Organisations also use phishing simulations to evaluate the effectiveness of their training programs. “If you want to change human behaviour, you cannot rely on training alone. That is where phish testing plays a crucial role.”

Avoid the shame game

The approach that organisations take in conducting phishing tests is equally important. “The goal should never be to shame or instil fear in individuals who fail the test, as this can have negative consequences,” says Collard.

Some organisations have resorted to distributing plastic chickens as a sort of punishment for those who fall for phishing tests, while others have even threatened to fire employees for repeated failures.

“It is important for employees not to feel hurt or betrayed by their employers. From the beginning, companies should establish clear communication with their staff, explaining that phishing tests are an integral part of their overall cybersecurity training,” she explains.

Using insensitive tactics in phishing tests can damage the trust between the organisation and its employees. Research suggests that instead of perceiving cybersecurity as a protective measure, users may then view phishing simulations as harmful.

Collard suggests that organisations should prioritise both cybersecurity and the well-being of their employees by finding a balance between the two.

Creating a positive security culture

One way to do this is to emphasise the carrot, rather than the stick, approach.

“Instead of just punishing those who fail phishing tests, employers should be more empathetic,” suggests Collard. “Are their staff feeling stressed and overworked? Are they going through financial difficulty? Knowing this will help organisations understand what’s driving employees’ risky online behaviour.”

Gamification and celebrating success are also powerful tools to foster a positive security culture at work. “You could have a cyber hero of the month for the employee who reported an email which prevented an attack,” she suggests. “Or you could have a competition for the team that reports the most phishing tests.”

When done right, phishing simulation should educate employees, rather than humiliate them. “Phishing tests should enhance their ability to detect fake and potentially threatening emails and report them straight away to their IT department,” Collard concludes. “The goal should be positive reinforcement and the reward should be intrinsic: congratulating those who’ve done a good job.”

In a recent study by KnowBe4 across more than 32-million users, the data conclusively shows that the more frequently groups did phishing tests (such as weekly), the better the users performed on spotting these simulated phishing tests. Groups that did both training and simulated phishing performed the best.