InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
In most companies, a small percentage of employees repeatedly fail phishing simulations. These “repeat responders” should be addressed through frequent phishing exercises to build muscle memory in identifying a phish.
The cybersecurity team should work to identify what other resources are needed to reduce the tendency for repeat responders, i.e., identify process or technology updates that will change the way a repeat responder operates.
Positive reinforcement, including rewards and public recognition for those who report phishing attempts, can be effective in motivating others in the company to get with the program.
Finally, shifting training to include gamification and specific stories about phishing consequences can make all employees more cyber aware.
This piece explains the underlying issues behind repeat responders to phishing simulations and recommends steps to address them.
The Pareto Principle, or 80/20 rule, states that 80% of consequences (or phishing failures) come from 20% of causes (or users). A recent study of 6,000 users showed that 6% of the
tested users were responsible for more than 29% of phishing failures, with most of those users failing more than four phishing attempts over the course of 18 months. However, there are several ways to address such “repeat responders” (which
is the recommended, more positive term for “repeat offenders”).
Phishing is an important tool in a company’s cybersecurity program. Inevitably, leadership is going to ask for the results of the phishing campaign, along with questions about repeat responders and what the team is doing to address them. To ensure
as few users as possible end up repeatedly failing phishing simulations:
Unfortunately, there are times when our best efforts to train employees are not enough. While repeat responders may constitute a very small percentage of employees, they put the whole company at risk, and we cannot ignore this fact. If all else fails
and repeat responders continue to fail phishing simulations, consider:
As a last resort, consider demotion or termination. However, be sure to work with your human resources (HR) and legal teams to ensure policies are consistently applied across the organization when it comes to all remedial (and rewarding!) actions.
Ultimately, the cybersecurity team is not HR. Our job is to provide recommendations for actions that should be taken based on risk to the company.
READ: How to Track Phishing Resilience Using a Metrics Matrix
The way we work and learn evolves over time, and our training and awareness programs need to evolve as well. To improve your phishing training and reduce the number of repeat responders:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.