When Good Security Awareness Programs Go Wrong

A company once sent an email to all of its employees (about 500 of them), telling them about a holiday bonus of $650. When prompted to click on a link and fill out a form with their personal details to claim the bonus, the employees were surprised to be informed that the email was part of a phishing simulation, and by filling out the form, they had failed the test. Instead of receiving a bonus, employees were required to take mandatory security awareness training.

This is an example of how not to train people.

"That's significant money for a lot of folks," says Jason Hoenich, an awareness expert and also vice president of strategy at Arctic Wolf. "Just straight up heartless. It's hard to recover from the damage that causes."

At issue here is trust, Hoenich says. When you lose that among your employees, any hope of changing behaviors — the primary objective of awareness training — is lost. Well-intentioned training programs that lean on bad tactics can deliver all kinds of poor outcomes.

The security team needs to foster a safe environment where people can freely approach them if they spot something fishy or think they've made a mistake, says Gabriel Friedlander, founder of Wizer, which provides awareness training. "This situation was pretty much the opposite."

'Check-the Box' Training

The compliance-driven approach that many organizations adopt when crafting an awareness training program is a mistaken one, says Julie Rinehart, who runs security awareness programs at Biogen. Many programs start as mere checkboxes that rely on annual click-through computer-based training and phishing simulations — and not much more, she says.

"Maintaining that generic view for a security awareness program is a major missed opportunity and will not result in long-term behavior changes or engagement," Rinehart says. "I like to think of security awareness as more of a marketing campaign, selling a product that people are too busy to buy into but must consume."

For Rinehart, that means a strategic approach that includes audience analysis. Understanding the target audience's knowledge, behaviors, and motivations is essential for designing effective security awareness programs, she says. Reinhart relies on audience analysis as a first step to segment training for targeted awareness. Her analysis includes the current level of knowledge (to avoid overcommunication), actual observed behavior (versus assumptions), and what motivates the end user, among other factors.

"This step can easily be overlooked in very reactive cybersecurity organizations but will enable the program to be extremely strategic," Reinhart says.

According to Wizer's Friedlander, a compliance-focused mindset means organizations are looking at employees as just something else to secure. This perception leads to unrealistic expectations and can pressure organizations into focusing solely on completion rates rather than achieving meaningful changes in behavior.

"Security awareness is often pushed mainly because compliance demands a 100% completion rate," he says. "But when that's the only goal, it turns into a game of sending reminders, talking to managers, and practically dragging employees to finish the training. We end up missing the important conversation about changing behaviors."

Phishing Simulation Pitfalls

Phishing simulations are a common component of security awareness programs, but they can easily backfire if not executed properly. In addition to the example of the fake bonus, Arctic Wolf's Hoenich warns against any simulations that lack empathy and focus on tricking employees, rather than educating them. Such simulations erode trust between employees and security teams and hinder the program's objectives.

"Phishing simulations that focus on 'gotcha' moments rather than education can create a culture of distrust and anxiety," he says. "Employees become wary of the security team and may be less likely to report incidents or engage with future training initiatives."

Biogen's Rinehart knows how this can happen and says her first experience with implementing phishing simulations early in her awareness career initially led to employees feeling targeted and defensive.

"People reached out to us directly or to their management teams, explaining they felt as if they were being 'targeted' and, as a result, were not receptive to learning and avoided engaging with our cybersecurity team as a whole," she says.

Recognizing the need to shift the focus from punishment to empowerment, Rinehart reframed the simulations as opportunities for personal assessment and understanding the importance of reporting suspicious emails. This shift in approach resulted in lower click rates, increased report rates, and improved colleague engagement.

Lacking Flexibility and Adaptability

Tonia Dudley, a security industry veteran who has served as a CISO and worked with many awareness programs, stresses the importance of flexibility in security awareness programs. She advises against planning a full year's worth of topics and training all at once in an evolving threat environment.

"There isn't a quick fix, and the threat landscape continues to shift," she says. "That means programs need to be nimble."

Friedlander echoes this sentiment, adding that changes in behavior take time. He suggests shifting the focus from endpoint protection to cultivating a security culture where employees promptly report unusual activities or mistakes. This change in mindset requires adapting training content to align with the evolving needs and threats specific to the organization.

"Security awareness isn't just about avoiding a bad click," he says. "The real goal of a security awareness program is to create a security culture where employees promptly report anything unusual or admit when they've made a mistake. Early detection by employees is a big deal — a sign that the security program is working."