Traditional phishing tests, designed to assess employees’ susceptibility to deceptive emails, have come under increasing scrutiny questioning their effectiveness and potential unintended consequences. A University of Switzerland comprehensive 15-month study involving over 14,000 participants revealed that such tests might inadvertently increase employee clicks rather than reduce their click rates.
Echoing these concerns, Google’s Matt Linton compared early 20th-century fire drills—which often caused more harm than good—to modern phishing tests in this blog post. He argued that these tests focus on individual performance, potentially leading to negative outcomes without significantly enhancing overall security.
These insights suggest that traditional phishing tests may not only be ineffective but could also undermine organizational security efforts and in many reports harm the good will and morale of the companies and individuals being tested. In response, innovative solutions like CyberHoot’s HootPhish offer a more constructive approach, emphasizing education and positive reinforcement to foster a security-conscious culture.
Let’s take a closer look at the traditional challenges fake email phishing contains and some of the benefits of pivoting to a more positive realistic and educational approach that leverages positive reinforcement theory on phish testing simulations.