High-Risk of Repeated Phishing Test Failures

August 14, 2023  | By: Stephen Boals

Remediation and Coaching Strategies

Phishing remains one of the most effective vectors of cyberattacks, primarily because it exploits human psychology rather than pure technical vulnerabilities. Despite best efforts, some individuals consistently fall victim to phishing attempts in simulated tests. This presents a significant risk to organizations. Here’s a closer look at why repeated phishing test failures are a high-risk concern for CISOs and how organizations can and should address this issue.

Understanding the Risk

Most organizations believe phishing tests, and human behavior, are totally unpredictable, and rightly so if the wrong approach is utilized.  For many of you, periodic phishing simulations are the only way to gauge human risk and readiness as a proxy for risk. Phishing simulations that are plotted on a chart typically look like an EKG, up down up down, usually hovering between 5% and 15% phishing failure rates.  If you plot them out over time, they trend and average at unacceptable failure rates (10%+).

Phishing Failure “EKG” – Indicator of High Human Cyber Risk

In the age of artificial intelligence, organizations that have unpredictable phishing “EKG” results, and serial clickers, which we call “clicksters,” are in an extreme risk position. How do you handle people that just can’t stop the impulse to click? Well, most do the obvious, and provide the same ineffective, content, focused training, over and over to try and remediate and solve the problem.  It just doesn’t work.

Addressing the Risk: Remediation and Coaching

Given these concerns, it’s essential for organizations to create a comprehensive plan to help these high-risk employees. Here are steps an organization can take:

• User remediation training, focused on changing behavior.  For a decent portion of the user base, repeat training is completely useless, and a waste of time. A new personality/behavioral approach is required to make a difference with adaptive, personal risk-style training.
• Detailed Analysis and selective controls.  Begin with an analysis to determine if certain departments, job roles, or individual employees are more prone to fail phishing tests. This data can provide insight into whether there’s a broader training issue or if focus should be directed to specific individuals or teams.
• Give managers the ability to coach. In so many organizations, the cyber security team is asked with handling counseling sessions for serial clickers. This is typically ineffective, as these folks are already overtasked and understaffed, and not skilled in coaching techniques.  I is counseling sessions should be performed by the direct manager, and HR should be involved after several failures.
• Exit Strategy.  As a last resort, if an individual continues to pose a significant risk despite repeated training and interventions, it may be time to reconsider their role or their access to sensitive systems and data. Coaching them into a different role or even out of the organization can be a necessary step to protect the company’s assets.  In extreme cases, termination may be required to protect the organization.

Creating Predictable Outcomes

In creating repeatable and predictable outcomes, seems a pipe dream for most companies. But in actuality, it’s simple if you have the right tools.  Our patented process, uses the platform and a combination of the internal tools to use behavioral science as a mechanism to change behavior, educate users and measure risk levels at the same time. Now human risk becomes manageable, follows a predictable path, and can be reduced to the lowest possible levels as users become part of the solution and not part of the problem.

Smooth & Predictable = Lowered Human Risk

The human element will always be a wild card in the realm of cybersecurity. While technology evolves rapidly, human behavior can be slower to change. By understanding the risks associated with repeated phishing test failures and implementing a comprehensive remediation plan, organizations can mitigate these risks and foster a more cyber-aware culture.

Our patented approach to cyber awareness is changing the Security Awareness Training market, empowering individuals and organizations to proactively address emerging threats. Discover how our innovative training programs can help you build a strong defense and embrace a secure and resilient AI-powered future. If you would like to learn more about what we do, feel free to contact us today.