Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
In most companies, a small percentage of employees repeatedly fail phishing simulations. These “repeat responders” should be addressed through frequent phishing exercises to build muscle memory in identifying a phish.
The cybersecurity team should work to identify what other resources are needed to reduce the tendency for repeat responders, i.e., identify process or technology updates that will change the way a repeat responder operates.
Positive reinforcement, including rewards and public recognition for those who report phishing attempts, can be effective in motivating others in the company to get with the program.
Finally, shifting training to include gamification and specific stories about phishing consequences can make all employees more cyber aware.
This piece explains the underlying issues behind repeat responders to phishing simulations and recommends steps to address them.
The Pareto Principle, or 80/20 rule, states that 80% of consequences (or phishing failures) come from 20% of causes (or users). A recent study of 6,000 users showed that 6% of the
tested users were responsible for more than 29% of phishing failures, with most of those users failing more than four phishing attempts over the course of 18 months. However, there are several ways to address such “repeat responders” (which
is the recommended, more positive term for “repeat offenders”).
Phishing is an important tool in a company’s cybersecurity program. Inevitably, leadership is going to ask for the results of the phishing campaign, along with questions about repeat responders and what the team is doing to address them. To ensure
as few users as possible end up repeatedly failing phishing simulations:
Unfortunately, there are times when our best efforts to train employees are not enough. While repeat responders may constitute a very small percentage of employees, they put the whole company at risk, and we cannot ignore this fact. If all else fails
and repeat responders continue to fail phishing simulations, consider:
As a last resort, consider demotion or termination. However, be sure to work with your human resources (HR) and legal teams to ensure policies are consistently applied across the organization when it comes to all remedial (and rewarding!) actions.
Ultimately, the cybersecurity team is not HR. Our job is to provide recommendations for actions that should be taken based on risk to the company.
READ: How to Track Phishing Resilience Using a Metrics Matrix
The way we work and learn evolves over time, and our training and awareness programs need to evolve as well. To improve your phishing training and reduce the number of repeat responders:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.