Although phishing tests can be helpful to protect users, using questionable tactics has the potential for harming relationships between a company and its employees. The authors suggest that managers avoid this damage by employing phishing tests with three criteria: Test teams, not individuals; don’t embarrass anyone; and gamify and reward.
Last December, the website hosting company GoDaddy.com sent 500 employees an email offering a $650 holiday bonus. Unfortunately, the bonus emails were not sent in appreciation for their record year, as indicated by the email — it was a phishing test. Those who clicked the link were rewarded, not with a bonus, but additional cybersecurity training.
Maybe your workplace has used a similar test; we know that ours have. In 2020, one of the largest providers of phishing training, Knowbe4, reported that 17,000 organizations used their solutions to provide 9.5 million phishing security test emails to over four million users.
Although phishing tests can be helpful to protect users, using questionable tactics — dangling perks or bonuses, for instance — has the potential to harm relationships between a company and its employees. In his recently published research, Dan Pienta, one of our team members at Baylor University, argued that users view cybersecurity as agents of protection, but sending phishing emails can flip users’ expectations from offering protection to causing harm. In a large-scale field experiment, we found evidence that phishing tests can indeed cause users to view cybersecurity as agents of harm, which, in turn, evoke feelings of betrayal by the organization.
Given that phishing tests routinely help cybersecurity professionals spot gaps in defenses and shore them up, how can organizations stop employees from regarding them as unfair, unethical, and unjust? Our research suggests savvy managers employ the following three principles that balance the need for cybersecurity with employee well-being.
Test teams, not individuals.
Phishing tests should be deployed in the same type of working style or environment in which employees regularly operate. For example, if an organization is team-focused, then the phishing test should also focus on teamwork to combat it. Cybersecurity professionals need to encourage employees to talk to their teammates about security issues. A group of researchers from the University of Oklahoma and the University of Virginia found that building relationships with users is much more important than building barriers. Their project called the Human Firewall focuses on building relationship with employees (what we call “bridging”), rather than controlling them.
Don’t embarrass anyone.
Cybersecurity professionals need to kill the culture of embarrassing employees who make mistakes. Outcomes of phishing tests, like the aforementioned GoDaddy example, can be punitive. For example, we know of one organization that gives a rubber chicken to people that get caught.
Rather than shame employees, security teams need to create a culture of information sharing. When security teams foster direct communication lines with employees they protect, they are likely to get a better street-level view of how countermeasures, such as phishing tests, impact company culture. Our organizational psychology colleagues would argue that, in general, the carrot tends to be more effective than the stick in a professional setting. Phishing tests offer opportunities to recognize who is doing a good job—much more than they should be used to call individuals out.
Instead of awarding a rubber chicken for failing a phishing test, recognizing employees with a free coffee for correctly reporting the test to IT security and alerting their team can win buy-in for the importance of the task at hand. At the team level, celebrating and rewarding reduces mistakes and can create powerful cultural influences that has the power to extend vigilance that fends off security breaches for weeks at a time.
Gamify and reward.
Smart companies have turned to team-based competitions to create positive cybersecurity cultures. During Cybersecurity Awareness Month, Facebook rewards teams that correctly identifies the greatest number of phishing emails. Others have leveraged gamification principles to win support for phishing tests. Some companies publish a simple leaderboard that shows the teams that spot the most phishing messages during a set time period and reward them in kind for their performance.
It is important to provide feedback to help under-performing teams continue to see cybersecurity as an agent of protection. Cybersecurity personnel should coach under-performing teams to success in future rounds of the phishing game. Security should then measure the change in outcome at the team level and celebrate their progress. If a company really wants to improve the reaction of employees, then security should incorporate security performance, particularly improvements, as part of every team’s annual evaluation.
We mostly hear about phishing tests when something goes wrong or a firm employs dubious methods of deployment. Most firms do them the right way: treating them as opportunities to detect problems, develop employees’ capability to identify messages, and to understand how novel attacks impact information security. When done correctly, phishing test are important part of any cybersecurity program, but companies need to reconsider how to empower employees rather than to disenfranchise them.