How to Deal with Individuals Who Repeatedly Fail Phishing Simulations

In most companies, a small percentage of employees repeatedly fail phishing simulations. These “repeat responders” should be addressed through frequent phishing exercises to build muscle memory in identifying a phish. 

The cybersecurity team should work to identify what other resources are needed to reduce the tendency for repeat responders, i.e., identify process or technology updates that will change the way a repeat responder operates. 

Positive reinforcement, including rewards and public recognition for those who report phishing attempts, can be effective in motivating others in the company to get with the program. Finally, shifting training to include gamification and specific stories about phishing consequences can make all employees more cyber aware. 

This piece explains the underlying issues behind repeat responders to phishing simulations and recommends steps to address them. 

Phishing Simulation Failures 

The Pareto Principle, or 80/20 rule, states that 80% of consequences (or phishing failures) come from 20% of causes (or users). A recent study of 6,000 users showed that 6% of the tested users were responsible for more than 29% of phishing failures, with most of those users failing more than four phishing attempts over the course of 18 months. However, there are several ways to address such “repeat responders” (which is the recommended, more positive term for “repeat offenders”). 

7 Ways to Reduce Phishing Simulation Failures 

Phishing is an important tool in a company’s cybersecurity program. Inevitably, leadership is going to ask for the results of the phishing campaign, along with questions about repeat responders and what the team is doing to address them. To ensure as few users as possible end up repeatedly failing phishing simulations: 

• Adopt a “four strikes” metric: Some research shows that classifying an employee as a repeat responder before completing four phishing campaigns may be too early. Consider not classifying an employee as a repeat responder unless they fail four phishing simulations in a short span of time. This is not intended to hide or falsify the data, but rather a way to allow a gradual escalation of training and awareness before a negative label is applied. 
• Provide the right context: Your company should define and document its phishing program goals, targeted metrics and remediation plans prior to launching a set of campaigns. Consider that a series of phishing events over a short time may be one way to provide training and address repeat responders. A landing page providing insight and cues for why an email is a phish (e.g., look for misspellings, generic greetings, etc.) can be a wonderful way to train users. However, it is also important to provide “play it forward” consequences that explain the potential impact if a user falls for a phish and provides login information or clicks on a link to download something. Using real-world examples of attacks that have been successful via phishing is a wonderful way to highlight such consequences. Consider an escalation of information and details, rather than formal training as a way to address repeat responders. 
• Identify and address the root cause: This is an opportunity for cybersecurity teams to learn about the work processes and habits of the user base. Are your repeat responders in a certain department or team? Are they using similar tools or performing similar work? This is not an attempt to profile the repeat responder, but rather to identify opportunities for training, processes and technology/tooling that can be provided to reduce the risk of a successful real phish. Taking time to understand work objectives, workflows and daily activities can be a heavy lift, but the positive impacts will likely last well beyond the four- to six-month timeframe of phishing training effectiveness. For example, your recruiting team is receiving dozens, hundreds or maybe even thousands of resumes a week, and candidates are doing their best to differentiate themselves and may include links to a project or website. Putting the recruiting team on a separate virtual LAN to isolate the impact of a malicious link may help keep recruiting productive, while protecting the company. 
• Consider positive reinforcement: Proofpoint reports 82% of U.S. organizations use a consequence model, meaning there are punishments for users who repeatedly fall for real or simulated phishing attacks. However, collectively, we still see successful attacks via phishing, so it is clear we need to adjust our approach. In most cases, phishing training is provided once or twice a year, with many employees muting the video or mindlessly skipping through slides. When a phish is sent, those who fail get immediate feedback they have done something wrong, while users who report the phish rarely get feedback. A vast majority of people are motivated by social norms or even social pressure. Studies show a person is much more likely to buy a product or change behavior if their peers or friends also buy the product or behave a certain way. If users are told they are failing phishing simulations more than their peers, they are likely to be motivated to change. This can be conveyed in a positive way by reporting the percentage of people who report a phish—and it can motivate others to do the same! 
• Try gamification: Depending on your company’s culture, gamification or competition can be a very positive motivation for employees. This has worked in other areas such as safety by posting signs for “number of days since last accident.” Similarly, a countdown of “number of days since last successful malware infection” can be very motivating for everyone. Other positive approaches can include rewarding the department or team with the highest number of reported phishes in the campaign. This encourages everyone to not only watch for a phish, but to actually report it. Providing immediate congratulations and positive feedback is a wonderful way to encourage employees to be diligent. Sometimes visible rewards as simple as a sticker for reporting a phish can be motivational. 
• Offer group-based training: Group training using an online escape room or a tabletop exercise focused on phishing can be another very fun way to team build and raise awareness. For example, a tabletop exercise can walk the team through a phishing attack, from receipt of the phish through the impacts, response and recovery. This is an excellent way to spend an hour or two providing training on: 
  • How to spot a phish 
  • How to report a phish 
  • Actions that should be taken upon clicking or providing information 
  • Consequences of a successful phish 
  • How the cybersecurity team and company will respond and recover 
• Customize training to your organization: If your company has the resources available to do this, it is also a great idea to provide information and examples targeted to departments or teams in between phishing campaigns. Post short news clips or stories about phishing attacks within your industry or within a certain discipline (like finance or recruiting) as a way to bring attention to the real impacts phishing can have on a company. Tell the story of how a phishing email to a finance team led to a ransomware event that closed a company for weeks. Discuss the company that had a massive malware infection after a recruiter clicked on a link in a resume. Specific stories are much more impactful than once-a-year generic training.

Addressing Repeat Phishing Simulation Failures 

Unfortunately, there are times when our best efforts to train employees are not enough. While repeat responders may constitute a very small percentage of employees, they put the whole company at risk, and we cannot ignore this fact. If all else fails and repeat responders continue to fail phishing simulations, consider: 

• Reducing their privileges so an account compromise will not provide access to critical company data or systems. 
• Isolating their access, reducing the ability to download or click on links. 

As a last resort, consider demotion or termination. However, be sure to work with your human resources (HR) and legal teams to ensure policies are consistently applied across the organization when it comes to all remedial (and rewarding!) actions. 

Ultimately, the cybersecurity team is not HR. Our job is to provide recommendations for actions that should be taken based on risk to the company. 

READ:  How to Track Phishing Resilience Using a Metrics Matrix 

How to Improve a Phishing Training Program 

The way we work and learn evolves over time, and our training and awareness programs need to evolve as well. To improve your phishing training and reduce the number of repeat responders: 

• Understand that repeat responders may be getting labeled too early. Research shows very few people fail a fourth phishing simulation if simple training is provided showing how to identify a phish. 
• Take time to understand why users become repeat responders. Identify opportunities to adjust policy and technology to reduce their tendency to click or provide information in a phish. 
• Identify ways to provide positive reinforcement through gamification or public recognition. This will encourage others to want to be a part of the group that takes the training to heart, avoids clicking on suspicious links and actually reports suspected phishing attempts (which is the goal). 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.