Forcing employees to take security training after they fail a phishing test actually makes them more likely to get hacked later.
We usually assume that 'teachable moments' help people learn from their mistakes. However, in a consequence-free environment, this training can actually 'embolden' employees, making them feel overconfident and more willing to gamble on suspicious emails because they've been desensitized to the risk.
Research Note-Breaking Bad Email Habits: Bounding the Impact of Simulated Phishing Campaigns
SSRN · 6343920
Simulated phishing campaigns are among the most widely deployed tools for reducing organizational cyber risk. Yet the behavioral data these campaigns produce have an underappreciated structural feature and a resulting complication: because training is triggered by clicking, the very employees who receive intervention are those Teachable-moment design features also matter: emotion or heuristic framing and explicit reporting pitch can largely eliminate persistence, while annotated-email cues modes