Phishing Simulations and Culture

My good friend Joel wrote a widely shared post on why phishing simulations don’t work. This itself follows on from excellent discussions with our good friend Emma, on how phishing cannot be over-come by will-power.

But the area I think has also been missing from the discussion so far is, what phishing simlations mean for your business culture.

Business these days will strive for inclusivity and diversity. When done well this increases innovation, and improves your buisness ability to adapt. But improving diversity in a business doesn’t happen in isolation. It’s supported by providing employees with the psychological safety, the ability to identiy exclusionary thinking, and tools to report and respond to it.

This culture is important to Cyber Security too. We must create a culture where people feel safe to report suspicious activity, even (or especially) in cases of uncertainty.

I wanted to contrast this with the way phishing simulations are often managed, and give a sense about the effects on employees, focusing on those subjected to them.

Phishing simulations, first off, create a culture of fear with people accessing their e-mail. This expresses itself as stress. I think this is particuarly accute where your role requires you to have access to more systems. This stress does not help with the feeling of psychological safety within a business.

Also a phishing simulation is most effective when someone slips up and clicks on a link in an e-mail. Joel and Emma have discussed the reasons for this, but what happens after this is also important.

Typically the user will be directed to a page advising them of their mistake, and possibly offer some advice. That’s the best case scenario.

I know in some businesses the follow-on is getting a talking to from a manager, or sent on mandatory training. Perhaps different people or teams within the business, are ranked against each other in the hope that this will cause them to perform better.

Really this pits one group of people against another creating a sense of ‘otherness’, adding to stress and lack of inclusivity.

This is additional stress. Stress makes people more liable to make mistakes. The stress of an exam does not make you better able to do well at the exam. Except the exam is happening every time you open your inbox.

Think I’m exagerating? Let’s take email out of this entirely. This is the equivalent of working in a post room. You get post in. You put it in the right pigeon-holes, and you deliver it to the people who need it. Your line manager decides to put in some dummy post, to check how effective you’re being. They check if the dummy post is delivered to the right place and in a way the manager is happy with.

I hope no one has experienced this, but it’s disrespectful and distrustful. I would call this micro-managing.

I know from my own experience in phishing simulations, it’s like working with a chance of an axe jumping out at you at any time.

We should be looking at ways of reducing that stress, and increasing trust. Allowing people to come forward with concerns about their e-mail. Not having a distrustful relationship with their Cyber Security team, that should be helping them.

Let’s allow people to make mistakes, and give them the clarity of thought to idenify the mistake and learn from it. Not telling them off for something doing wrong.