‘UNFORTUNATELY, YOU HAVE FAILED’
Amsterdam, July 7 By Koen van Nistelrooij
“Unfortunately, this was a phishing test and you fell for it (sucker)!Is what the majority of employees see after clicking on a phishing test link. The word “sucker,” of course, does not but that is how it often feels. Current phishing tests are blatantly missing the mark. But there is hope; there are ways to successfully roll out a phishing test.
WHY MOST PHISHING TESTS FAIL
Phishing tests are used to raise internal information security and privacy awareness. And occasionally as a so-called subjective measurement tool, but more on that in a future blog. However, many tests often leave the participant with a sense of failure and shame. Too bad, because it’s counterproductive. Research by Eskreis-Winkler and Fishbach (2019) at the University of Chicago shows that failure undermines learning. Failure threatens the ego and worse; it turns us off. We zone-out, switch off, flee, do everything we can so that our self-image is not threatened. What could have been a great teaching moment is negated by a threatened ego.
BUT HOW TO DO IT?
According to Eskreis-Winkler and Fishbach (2019), you must ensure that ego concerns are muted. They also show that we learn much more easily from another person’s mistakes than our own. So instead of “You clicked the link and you did it wrong,” we might as well say, “Oops, you entered login information on a fake website. Phishing! Many colleagues did the same thing you did. Fortunately, it was a drill.” By this subtle difference in words, you remove the shame and failure. You impart that it is human to make mistakes, thereby creating space to learn how to do it.
“Oops, you entered login information on a fake website. Phishing! Many colleagues did the same as you.”
MOST PHISHING TESTS MISS THE TEACHING MOMENT
Another major pitfall of the typical phishing test is the learning moment and communication afterward. We see ongoing phishing tests communicating, “This was the phishing test and you failed it. But then we don’t do very much with it. Sometimes the landing page contains a customized learning, but usually not. And to complete the campaign, they posted an intranet message announcing that it was a phishing test. And so it was. The tests that miss the mark completely still mention in passing how many colleagues and which departments clicked the most. Again, the approach is negative, the employee sits with his feeling of failure. We push the ego of the lowest-scoring teams down some more, and then are surprised next year that they still don’t know how to do it or where to turn. While there are lots of moments throughout the process where we can communicate with the employee and make it a positive learning experience.
A POSITIVE APPROACH
At Brooklyn Partners, we turned the whole process on its head and developed a positive approach. Through personalized communication, we focus on the learning moment rather than the failure. After all, you know quite a lot about your employee after deploying the test. Did they click and enter their information, yes or no? Did they report, yes or no? Based on that, you can respond to each situation and offer the participant the knowledge that is still missing. And yes, that requires a solid commmunication approach, but it also brings you a lot. Also, we do not report the percentage who clicked, but indicate the percentage who reported. We highlight the desired behavior rather than the undesired behavior. Then, when internal competition arises about “what percentage of a department has done something,” so it’s not about: so many percent have clicked, it’s about: so many percent have reported. What we ultimately want to communicate is not, “You can’t click on this,” but, “Might happen to click on it, but if you click on it, report it. Because only when the ego is quiet – or stroked – are we open to a learning opportunity.
Curious to learn more or want to apply this in your organization? Even if you just want to spar for some creative inspiration, call or email us through our contact form.