#82 – The Phishing Paradox: Why Security Training Might Be Making You MORE Vulnerable

AI is reshaping data governance—and raising big compliance questions. David W. Schropfer and Anthony Woodward unpack risks, silos, and solutions on DIY Cyber Guy.

EFFECTED USERS: Every business of every size.

Hair on fire 3 out of 5

SUMMARY:

Summary:

The discussion centered on the paradox of phishing training and its potential to inadvertently increase vulnerability among employees. David W. Schropfer introduced the topic by highlighting the reliance on simulated phishing exercises, which recent research suggests may not be as effective as previously thought. Craig Taylor, co-founder of CyberHoot, contributed insights from a study involving 20,000 participants, revealing only a 1.7% difference in phishing susceptibility between trained individuals and a control group. This led to a critique of traditional training methods, particularly their technical limitations, which fail to reflect real-world phishing tactics.

Craig emphasized the ineffectiveness of punitive measures in cybersecurity training, advocating instead for positive reinforcement strategies. He argued that gamification and rewards can foster better engagement and behavior change compared to negative reinforcement, which often leads to disengagement. David supported this perspective by drawing parallels to successful applications of gamification in other contexts, such as navigation apps. The conversation underscored the need for a shift in training methodologies to enhance employee understanding and proactive behavior regarding cybersecurity threats.

The speakers also discussed the ongoing challenges in cybersecurity, noting that despite years of training, breaches continue to occur frequently. Craig pointed out that cybercrime has become a significant global economy, raising concerns about the effectiveness of current training approaches. He shared anecdotal evidence suggesting that clients engaged in training experienced fewer major security breaches, and mentioned an ongoing study to further evaluate the effectiveness of their methods. Both speakers agreed on the necessity of empirical evidence to support their claims and improve training practices.

In addition to training methodologies, Craig criticized outdated password guidelines and emphasized the importance of integrating psychological insights into cybersecurity practices. He highlighted the need for a multidisciplinary approach that considers human behavior in security risks. The discussion concluded with a focus on the significance of effective communication and the role of psychology in professional success, as well as plans for a podcast collaboration that would further explore these themes.

SHOW NOTES:

Today, we’re diving into an old topic: phishing training. But with a new suggestion: training may make your company LESS secure.

For years, the cybersecurity industry has relied on simulated phishing exercises and embedded training to build a human firewall.

Human firewall is using your employees – not just computer systems – to block and prevent damage from cyberattacks

But is this approach truly effective? A recent, large-scale study suggests the answer is a resounding “no.”

A remarkable finding that not only challenges the effectiveness of this training but also reveals that it can have unexpected side effects, potentially making employees even more susceptible to real-world attacks.

the paper is “Phishing in Organizations: Findings from a Large-Scale and Long-Term Study” (arXiv:2112.07498), which states:

“Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing.”

  • Rethinking Our Approach:   what does this research means for the future of cybersecurity awareness and training. Should the focus shift from individual responsibility to technical prevention at the organizational level?

Here with me to disuss all of this today is: Craig Taylor

Craig is the Co-Founder of Cyberhoot – a company that helps to help SMBs and MSPs learn cyber literacy.

Craig is a CISSP (Certified Information Systems Security Professional) and a 30-year veteran of Cybersecurity. He has a BA in Psychology from University of Guelph.

Welcome Craig!


  1. A frequently cited estimate from Cybersecurity Ventures projects that global cybercrime costs—or the economic impact—will reach US $10.5 trillion annually by 2025, making it comparable to the world’s third-largest economy (after the U.S. and China) TIME+15Cybercrime Magazine+15Critical Start+15.
  2. SOURCE #1: Cybercrime Magazine. SOURCE #2: https://en.wikipedia.org/wiki/Cybercrime

TRANSCRIPT

0:35 – David W. Schropfer
All right. Welcome back, everybody, to DIY Cyber Guy. This is Episode 82, The Phishing Paradox, Why Security Training Might Be Making You More Vulnerable. This is a hair on fire three out of five, and it may seem a little bit higher than my typical episode. This is for anybody who works on a computer doing anything for anybody. That’s a pretty broad spectrum umbrella. And the reason for that is we’re talking about security training. I’ve been through it, you’ve been through it. Or maybe if you depending on your job, you may have put other people in your organization through it. And it’s basically the whole idea of keeping your security posture of your company as high as possible. So for years, the industry has relied on simulated phishing exercises, embedded training, all focused on what we call the human firewall. What does that mean? Means that systems can only do so much. The people in your security operation center can only do so much. You can have the best possible security imaginable. But if you give away your RSA dongles, for example, or your usernames and passwords off to the first person that asks, well, that defeats the entire purpose of security in your operation and your network entirely. So humans, as we all pretty well know, are the weakest link in most security programs. And in most security postures in trying to defend any company and any network. So the approach that we’re all used to is what I’ll call gracefully the gotcha approach, seeing if we can get somebody to fall for something they shouldn’t, clicking a link in an email. And we’ve talked about this many times in a podcast, shouldn’t do that unless you explicitly knew that that email was coming, you were expecting it, and it’s something that is entirely researchable. And even then, it’s often better to go out of network And, you know, go out of band rather, send a text message to confirm an email, and vice versa, depending on who’s asking you to click what. But the gotcha part is when the company that you work for is putting out these messages, trying to see if they can bait you into doing something you shouldn’t. And then of course, saying something akin to gotcha, you shouldn’t have done that. And here’s the slap on the wrist or the note in your HR file, or the mandate to do a few more hours of cybersecurity or whatever the case may be. There was a remarkable finding from a research paper that came out recently called Fishing in Organizations, Findings from Large-Scale and Long-Term Study. And I’m going to Read you a quote from this study because it’s so fascinating to me. So listen to this. And I’m quoting now. Surprisingly, we find that embedded training, which is what I was just describing, during simulated fishing exercises as commonly deployed in in the industry today does not make employees more resilient to phishing, but instead, and this is important, it can have the unexpected side effects that can make employees even more susceptible to phishing. That’s remarkable. To me, that changes everything. That’s kind of like saying, hey, that fire extinguisher that’s hanging up in the break room, that’s actually filled with gasoline. So if you try to use it to put it out a fire, it’s going to make it a little bit worse. That’s bad. And we’re here to talk about the other side So here with me to discuss this today is Craig Taylor.

Craig is the co-founder of CyberHoot, which is a company that helps small and medium businesses as well as managed service providers learn about cyber literacy. He’s a CISSP, which is a certified information securities and systems professional, and a 30-year veteran of cybersecurity. He has a BA in psychology, which is interesting, from the University of Guelph.
Craig, welcome to the show. David, great to be here.

4:57 – Craig Taylor
I love your approach and your introduction was fantastic. Thank you so much.

5:01 – David W. Schropfer
My pleasure. It’s wonderful to have you and your perspectives on DIY Cyberguy. I’m really looking forward to this conversation. So let’s start with, you know, the quote that turned the world upside down from a cybersecurity training perspective. How is it possible that all of the training that most of us and most of my listeners are familiar with is completely wrong.

5:25 – Craig Taylor
It was surprising to me as well, because when we started out at CyberHoot, we started out doing exactly that, trying to build a better, you know, an ability to send fake emails to inboxes to hopefully measure that people would identify and avoid them. But what ends up happening here is there are two or three underlying currents that really lead to the the poor outcomes that were reported in that study. And that study has been reproduced as of this August by University of Chicago and San Diego researchers.

5:58 – Unidentified Speaker
Yes, it was reproduced with a study of 20,000 people.

6:01 – Craig Taylor
And they said, in their words, 1.7% difference, a control group with no training versus all the other people in this large multi 20,000 person firm health care provider. They only saw 1.7% difference. It was a difference, but it’s still almost not worth doing at 1.7%. And, you know, the reality is there are two underlying problems with traditional fake email phishing. The first is a technical problem with the way we test. If you’re pretending to be a vendor like Microsoft or Amazon or Apple, you cannot have any of those words of those vendors domain names in your phishing attack. You have to send it from a sender domain of account resets are us. Something obviously not tied to Microsoft, Apple, or Amazon because one click of a mouse by an individual receiving that fake email, reporting it as spam, triggers a legal department at those companies contacting the vendor to say, stop impersonating us. We don’t allow you to do that. It’s verboten. It’s it’s forbidden. And so you have to pick these dumbed down simplified domain names that teach the absolute worst possible message. If you get an email from a vendor and you think you want to click on it and you see that it’s an obviously wrong domain name, that’s a fish. OK, it’s not how hackers hack us. Hackers will take the M in Microsoft Amazon and turn it into an R and an N and then register a domain name for a week or two. Of course, it will be reported and it will be taken down quickly. But within that two week time frame, they have hacked a thousand or a million people, right? Like people just look at that and go, oh, that looks like Microsoft. It must be real. They’ve been trained to look for obviously simplified and dumbed down domain names. Now, that’s the first problem. The second problem is more insidious. When you punish behaviors that you want to get rid of, right? Let’s say clicking on a link, right? We’re going to punish it with, as you said in your intro, a conversation with HR, a shameful conversation with your, maybe your manager has to have that conversation. You’re punished by having to watch another 45 minute video on how to identify and avoid phishing attacks. Whatever it is, you’ve failed something and now you have a negative consequence, right? It’s a punishment basis that doesn’t change any behaviors. It never has. Psychology for 75 years has said, and B.F. Skinner said this in 1953, behaviors that are reinforced tend to be repeated. What does that really mean? Behaviors that are reinforced. And, you know, you could put in positive reinforcement, you could put in or negative.

8:59 – Unidentified Speaker
Well, no, not negative, though. Negative could be.

9:02 – Craig Taylor
But negative is a is a very challenging thing for most people to understand, a fire alarm is a negative reinforcement. It reinforces you to leave the negative stimulus, to leave the building, right? It’s causing you to behave in a certain way as a reinforcement behavior by a piercing sound, right? But punishing someone for clicking is not negative reinforcement. There’s no removal of a stimulus that makes the behavior change because the stimulus has already been given. You’ve been punished. You failed, and now you have a consequence for that. But positive reinforcement is like saying, adding gamification, certificates of completion, continuing education credits for completing positive reinforcement assignments, having avatars that grow in ferocity over time, and this beautiful, through the tiers, one through seven of cybersecurity skill set. As you complete assignments at CyberHoot, we give you with a little baby owl, then you become a little more mature owl, then you become an owl with a sword and an owl with a shield and an owl with armor. You know, you’re growing your capabilities, your maturity in cybersecurity as you go through the system and you gamify. And the gamification allows you to compete friendly with your colleagues in your business. So at the end of the day, when you reward good behaviors, they tend to be repeated. The best example, here’s an analogy that I think every listener on this podcast will understand. You can train a dog or try to train a dog with a shock collar or treats, right?

10:41 – Unidentified Speaker
If you want your dog not to leave the property and you put a shock collar on, you put an invisible fence, they go near it, they get shocked and they back away, right? That’s to keep them in the yard. But what happens when a rabbit runs by on the other side of the road?

10:56 – Craig Taylor
The dog thinks and does a calculation in his head. I don’t really care about the shock, because it’s not going to drop me. It’s not a taser. It’s a mild shock. So I’m going to go get the rabbit. And off he goes. And when your employees get a really enticing email around Taylor Swift tickets for their teenage daughter, and you know, I just don’t care about the consequence anymore, because I want that for my family.

11:19 – Unidentified Speaker
So they click. And that’s what hackers know. However, if you take the dog to a dog dog park and you give him treats for sitting when you sit and you say sit or coming when you call or doing this or that.

11:31 – Craig Taylor
And the dog’s tails wagging and you treat you reward and reinforce those good behaviors that you want to see when you have your dog at home and you let him out to go pot to the bathroom and you call him into the into the house, you give him a treat. He keeps coming back to the house every time you call him in because he wants that treat. And if you do it on an intermittent schedule of rewards, meaning You don’t have to do a one to one. You can do a one and randomly assign a treat every second, third, fourth time. The dog’s going to come even faster because they think maybe if I come really quickly, I’ll get the treat this time or whatever the case may be. It’s rewarding the behavior and it’s repeating the behavior.

12:14 – David W. Schropfer
The same with children and other examples in the world.

12:18 – Craig Taylor
So let’s talk about gamification. And for those listeners that don’t know exactly what that is the example of gamification when it comes to electronics or apps.

12:28 – David W. Schropfer
Let’s use Waze as a good example. Waze wants you to report that there’s a police officer sitting by the side of the road or a construction or whatever the case may be. And from day one, your motivation for doing that is you start off with a badge, an innocuous beginner badge. And the more you report and the more that gets that others say, yep, that hazard was there, that officer was there, the more your status goes up. So it’s basically just increasing the status, but it becomes like a little bit of a game. And that’s why they call it gamification, for those of you who didn’t know what that term meant. So at CyberHoot, and for my listeners, CyberHoot is not a sponsor, I’m just that fascinated with their approach that I’m having their CEO and their co-founder on as a guest. So when it comes to gamification that you employ to train your clients, and then the employees of your clients, what’s the effect that you’ve seen from using that as opposed to, if I heard you correctly, when you started, you didn’t use positive reinforcement, you used kind of what everybody else does.

14:03 – Craig Taylor
But now you use… Now we use gamification and rewards. Yes, exactly right.

14:07 – Unidentified Speaker
We see higher… What changed?

14:09 – Craig Taylor
So if you wanna know what changed was, it was difficult to implement, right? To support the fake email phishing tests that would be sent, the gotcha approach, it broke all the time. And it, not in our system, it broke in the delivery mechanisms of the world. You have to put a bunch of hacks in place to bypass your Barracuda, your Proofpoint, your Mimecast, your spam filters, so that this message that every mail gateway out there is designed to block these fake email messages Right? That’s what their whole purpose of being is. And now we come along, we want to deliver one through to see if we can test the end user that will click on it or not and play that gotcha game. And it would always break and it would always require a heavy lift on every single domain of every single MSP customer. It was just cumbersome and difficult. And the biggest problem we saw was engagement. People were giving up. I heard firsthand from from a gentleman one time, a really smart guy, PhD guy. He goes, you know what I do, Craig? I just report everything to IT.

15:20 – Unidentified Speaker
I forward everything to IT. I don’t ever get caught anymore because I never click anything, right?

15:27 – David W. Schropfer
But I mean, people listening might laugh at that.

15:29 – Unidentified Speaker
Which overwhelms IT with so many false positives that they’re just chasing their tail.

15:34 – Craig Taylor
It does. But until that guy sees the Taylor Swift tickets for his daughter, right? He’ll click because he doesn’t have any idea of what the good behaviors of inspecting that email are to sort of circumvent all of the tricks that hackers use to get us to click, right? Urgency and emotionality and typosquatted domain names where it says Taylor Swift, but the I is an L in Swift. And so now you look at it, it’s like, oh, it’s Taylor Swift. It makes perfect sense. So people don’t have been trained with the right skill set. They don’t have the rubric and they are abdicating responsibility. But you mentioned, remember I mentioned there was a new study that just came out. The study that we started off talking about was from the University of Zurich, Switzerland. It’s about 2022. We just had another study published that says almost the same thing. But their third conclusion was really interesting. The people that failed the phishing test, on average, were assigned remedial training, phishing videos to learn and learn how to not, that mistake again.

16:38 – David W. Schropfer
And they spent a total of 10 seconds on average.

16:42 – Craig Taylor
The 50th percentile was less than 10 seconds on the remedial video, which was 35 minutes in length, all right, or 20 minutes in length. It was some long, long video that would hopefully teach them how not to repeat the mistake. And they said, all the trainings that we’re doing are leading to disengaged or apathetic employees who give up on cybersecurity. Security, just like that gentleman who said, I forwarded all the IT. What we find in CyberHoot, with our HootFish phishing simulation, where you have to go through and there’s six or seven questions in a wizard-driven approach that asks you, is this sender safe or suspicious? And what is suspicious is these things called typosquatted domain names, where an A or an I replaces an L, or a zero for an O, or an M turned into an RNN, or a period in the wrong place. And we explain all that, but you have to pass this test in order to finish the exercise.

17:39 – Unidentified Speaker
It’s an assignment. We are not punching any holes in anything because we’re sending you a rubric assignment that doesn’t trigger any alarm bells on any spam filter.

17:49 – Craig Taylor
So it’s 100% automated for end users or IT administrators who want to just turn this on and teach their employees in a positive reinforcing way rather than all the work that goes into punishing them when they fail, to just get that delivered. So it’s a lot easier from an administrative standpoint. But it teaches the rubric of the sender and the subject and the greeting and the spelling quality and punctuation and the urgency and emotionality that hackers know, if I can get David to react without thinking, he’s more likely to click. But if he thinks about it and responds carefully and thoughtfully a few moments or even a minute later, he’s not gonna make the mistake because he’ll realize this doesn’t make any sense. Why would my friend send me an invoice? I never get invoices from my friend. Why would I do that? That makes no sense. I’m not gonna open this. It’s a phishing attack. So the positive reinforcement and muscle memory and repeated behaviors, we see a lot of high, high engagement and high compliance in our platform. So I regularly see hundreds 100% in many companies, not all. There are plenty of, I could go find companies that are in 20 and 30% range. They’re just not doing their cyber hoots, even their hoot fish or their that, because they haven’t even, they haven’t even attempted at once to get that activation energy or that initial positive reinforcement, right? If you have a child that has a temper tantrum and you wanna teach them coping behaviors, but then they never actually show you coping behavior to reward, it’s hard to give positive reinforcement because you haven’t had that incident or that event where you can say, Johnny, well done.

19:33 – Unidentified Speaker
Do you see how you didn’t throw a temper tantrum there? You thought about it. You used your words and you talked about why you were frustrated. That’s awesome. Well done. And then they would self propel into a self motivation. Right.

19:46 – Craig Taylor
Some companies don’t get to that point. But I have I have a goodwill. You would think goodwill employs right? 80 people in this Goodwill in part of the, I can’t really say where, they’re at a hundred percent compliance on every video assignment and every HootFish always for the last three years and they’re all in. I come to find out an MSP says we went to a customer site and people have printed their certificates out and pasted them all around their office cubicles as a sign of a badge of honor that they’re getting, you know, all these assignments done and they’re becoming more cyber secure and cyber smart. So it actually has a positive effect on engagement. That’s the biggest thing that we’re seeing with the positive reinforcement is people aren’t checking out. They’re not giving up. They’re saying, hey, actually, you know what, David, I think I can understand this. That guy with a PhD, he should have been able to understand phishing if he was ever taught properly how to spot these things. But he gave up. He said, screw it. I’m just sending everything to IT. I’m not going to get shamed one more time. I don’t have time for that. So the two problems that we solve are the engagement issue and the realism of what we face in the real world attacks we face with typosquatted domain names and the accuracy of the simulations that we’re receiving. That’s just not possible in traditional fake email phishing. Of that. So think about this. Everybody take a step back from your computer and just say, if what we’ve been doing for 20 plus years on phishing training has been working, why is there a breach every single day in the news?
St. Paul, Minnesota called out the National Guard and the FBI two weeks ago because their entire city was down. And I’ll tell you this too, cybercrime reporting of ransomware events and these breaches that are happening are like mental illness. No one tells anybody about it. When it happens to you, only about 20% of the attacks that are successful are reported to the authorities or become newsworthy or anyone hears about. 80% are under the waterline. No one talks about it. They just try to quietly recover and not embarrass them. It’s huge. It’s the third largest economy in the world if you look at GDP last year was cybercrime. There was the United States economy at 30 trillion and then China’s at 20 trillion and then cybercrime at 10 trillion or 11 trillion in illegally gotten funds. That’s a very sobering statistic. So what we’re doing is clearly not working, right? So what’s the definition of insanity, right, David?

22:33 – Unidentified Speaker
Trying the same thing over and over again and expecting a different result, right? Yeah. And so the news is our guide.

22:43 – David W. Schropfer
Interesting. And I started my career as an analyst, so I’m always looking for stats. And that was a very interesting one that basically cybercrime is the third largest industry behind the economy of the United States and the economy of China, which is an interesting statement. And for my listeners, I’m going to try to find the source of that and I can get it up on the website at DIY Cyberguy. But is there evidence that actual breaches, the actual bad guys, the actual phishing emails don’t get responded to as much using a positive reinforcement method versus a negative reinforcement method?

23:56 – Craig Taylor
We have anecdotal evidence from the MSPs that we work with, right? We had a study of one MSP that had 50 clients, and over a three-year period, they enrolled 40 clients into the platform. Of the 40 clients, not one left the MSP. They all renewed their annual agreement. There were no major security breaches in those 40 clients over two years. There was two or three minor ones, right? But nothing, not a ransomware event, not a wire fraud event. There might’ve been a business email compromise, something like that, but minor in nature. And quickly identified and remediated. And the 10 that refused any awareness training and phishing simulations with their staff, two had major security breaches. And two others, it’s weird how they didn’t actually overlap, but two left the MSP, did not renew their MSP agreement or renew year after year after year. And two others that actually stayed on had two major security breaches, a ransomware event in both cases. This is an N of one. So anecdotally, we have loads and loads of evidence. I talk to MSPs every day, David, and they say the number of emails they get asking, hey, Craig, is this a phishing attack? Because I’m not sure, go from overwhelming amounts down to very little trickles after a few months of the cyber hootfish exercise, that sort of thing. So again, it’s only anecdotal. However, we have an IRB-approved study going on right now. What IRB is, internal review board approved. There’s an ethics committee at every university that has to say, yes, you can do that study because you’re not going to harm the psyche of any of the participants, right? You’re not going to cause harm. So you have to get this IRB approval to do a study. We have three different cybersecurity researchers who have studied the effectiveness of fake email phishing in the gotcha way, studying cyber hoots, hootfish right now to create an empirical evidence century-based evidence of the benefit. And they’re looking at two aspects. The affect, how do people feel going through this positive reinforcement approach? Do they feel more engaged? Do they feel better doing it versus the norm, which is the punishment and the negative shame and fear and punishment approach? And then what is their effectiveness?

26:19 – David W. Schropfer
How do they do in the long run?

26:22 – Unidentified Speaker
And so this is hopefully going to empirical evidence to the anecdotal evidence that it works better. But I think everyone listening to this can logically connect the dots. If you train a dog with a shot collar versus uh treats, how does the dog behave in the long run?

26:39 – Craig Taylor
The dog’s wagging his tail says, take me to the dog park cuz I wanna go when it’s treats and he’s shutting down and he’s cowering in a corner when you put a shot collar or pull the shot collar out. If you do a child and you’re a parent and you scold the a tantrum and you say, grow up and stop being such a baby versus talk about your feelings with me. Tell me what happened this there. You were really upset. And if you can tell me about it, maybe we can work out a better way to behave in the future. Well, that’s good parenting. And you’re going to have a well-adjusted child in the outcome from the positive reinforcement of the good behaviors once you see them. Right.

27:18 – David W. Schropfer
So apply that to cybersecurity. Anywhere you look in this world.

27:21 – Craig Taylor
Incarcerated adults who can’t cope with the world because they don’t have the coping skills or the job skills to get a reasonable job to pay their way through society, they go back to jail, they recidivize. But if you teach them those job-related skills, communication skills, and reinforce those good behaviors, their recidivism rates go way, way down. So anywhere you look, any way you think about it, it’s got to be better than what we’re doing and the breaches we’re seeing today. So we’re going to try and prove it.

27:52 – David W. Schropfer
So let me see if I can recap what we’ve been talking about here today. So first and foremost, traditional training versus no training at all is a lift of all of around, I think you said 1.7%, which is really close to why do it at all. Number two, the sniff test of positive reinforcement versus negative reinforcement makes sense, certainly applies to dog training, certainly applies to raising teenagers. I’ve done that. Yes, I have my testament to that. And as well as and you’ve got some real anecdotal evidence, which matters. I mean, I mean, anybody will tell you in the MSP field or any other sales field, that retention of your clients year over year is a big indicator of whether or not they’re happy with the product that they’re getting and the results, the end results. That they’re seeing from it. So it sounds like you have that anecdotal evidence and real empirical evidence is underway. You’ve got a study going. And hopefully as a result of this podcast, there’ll be a few more of them. If we’ve got some university students listening, get out there, talk to your professors, let’s get a study going. But this has been really fascinating. And it’s one of those things that’s so frustrating because it’s so obvious that positive reinforcement would be better than negative reinforcement. Security is not an exception to that rule. It plays to that rule, just like anything else.

32:33 – David W. Schropfer
Okay, so Craig, given all that, what do I do if I’m an employee listening to this podcast right now, I’m getting pummeled by you know, year in year out, with basically negative reinforcement cybersecurity training, I get a gotcha email, despite my best efforts, I’m getting a gotcha email once every couple months, once a quarter, regularly, I just can’t stop this negative reinforcement from happening. What’s what should I do? What should I tell my boss? So how do I react to that, given what we’re talking about today?

33:05 – Craig Taylor
Well, I would share this podcast with them. First of all, your boss, your IT department to say, look, there are positive ways to go about fixing this problem. What we know is by looking at the news every day that the negative reinforcement isn’t changing behaviors. It’s not working. People are getting more and more email forwarded to their IT department, and they’re not learning the skills they need to efficiently confidently and securely process email. And I’m not just talking at work. This also applies to your home life, right? If you have an employee who clicks on something and gets ransomed at home and loses their wedding photos or loses financials, that impacts their work life as well.

33:48 – Unidentified Speaker
So take your IT person aside, take your boss aside and say, you know, if you have to keep using these gotcha emails, at least reward people in other ways for reporting it, when they see it.

34:00 – Craig Taylor
Give a monthly stipend, not a stipend, but a recognition award to the person that reported successfully, correctly, the most phishing attacks. Take someone else to lunch for doing it. Create positive reinforcement opportunities within whatever means you’re doing today while you look for a more positively focused, educational, and realistic phishing simulation and video training platform. Similar to what we do, because you can’t just rip and replace every time.

34:32 – David W. Schropfer
I know these vendors, they lock you in for a year or two.

34:36 – Unidentified Speaker
We are month to month at our company, but most vendors will lock you in for a year or two, and so you just can’t leave.

34:45 – Craig Taylor
What you need to do in those cases to get that engagement, to keep employees participating and learning, is to reward them when they do in whatever way you can. At our company, we give certificates of completion and continuing education education credits, 15 minutes towards whatever accreditation requirements you have. Usually every person in a different trade has 10 hours a year. We give up to four to six of those hours as cyber literacy training, cybersecurity certificates and training. But make it fun, make it entertaining, make it educational because that’s what breeds engagement and that’s what’s sorely lacking across the industry. Right now we suffer from an apathy problem where employees are just, they’re just tired, they’re overworked, and they don’t want to pay attention to anything that gives them a negative feeling, right? So if you can make it more fun and enjoyable, I think that’s your answer.

35:38 – David W. Schropfer
So I never thought I would focus on the word fun or gamification or anything of the sort in the discussion about cybersecurity, but you have squarely convinced me that it is an important factor for this and really everything else where you’re trying to either mold or guide or change behavior of any group. It works in other areas, from your pets to your teenagers to your employees, not to draw any equivalency there for those people who just opened up their email to write me an angry message. No, no, that’s not what I’m saying. It’s changing behavior is what this is about. I love it that you had a psychology degree to ground yourself in some of these basic principles that guide exactly how you’re doing, what you’re doing in CyberHoot today. Craig, it’s been fantastic having you on the podcast. Where can people find out more about what you do?

36:39 – Craig Taylor
CyberHoot.com is our website. You can email sales at CyberHoot.com or visit the website and sign up for a free 30-day trial. You can also learn more or subscribe to a newsletter that we have which is cyberhoot.com forward slash newsletters we have a weekly blog where we cover emerging threats you can go to cyberhoot.com slash blog and then for anyone listening to this that might want to give it a try we have two choices for you if you’re an individual we give cyberhoot away for free to individuals so even a CEO of a company could subscribe just to try it out and if you enjoy the positive reinforcement, then tell your IT person, hey, go take a look at CyberHoot, and maybe you can hire us for everybody, but it’s free for you at cyberhoot.com slash individuals with an S. If you do sign up and you want a discount, we give a special discount to anyone that’s a DIY cyber guy listener, and when you say what there’s a box in any sign up page of who did you how’d you hear about us. What’s the referral? You’d say DIY Cyber Guy, you get 20% off your first year automatically. That’s very generous. Thank you.

37:55 – David W. Schropfer
On behalf of my listeners, thank you for that. 20% discount is really significant for the first year. And I think that’ll help a lot of people at least try a different way of doing something that we’ve all known for so long. Craig, it’s been wonderful having you on the podcast. We’ll certainly have you back. Thanks again for giving the discount. To my listeners. My pleasure, David.

38:17 – Craig Taylor
It’s been a pleasure for me, too. Thank you.

38:19 – David W. Schropfer
Thank you.

Published by

Unknown's avatar

David W. Schropfer

David W. Schropfer is a technology executive, author, and speaker with deep expertise in cybersecurity, artificial intelligence, and quantum computing. He currently serves as Executive Vice President of Operations at DomainSkate, where he leads growth for an AI-driven cybersecurity threat intelligence platform. As host of the DIY Cyber Guy podcast, David has conducted hundreds of interviews with global experts, making complex topics like ransomware, AI, and quantum risk accessible to business leaders and consumers. He has also moderated panels and delivered keynotes at major industry events, known for translating emerging technologies into actionable insights. David’s entrepreneurial track record includes founding AnchorID (SAFE), a patented zero-trust mobile security platform. He previously launched one of the first SaaS cloud products at SoftZoo.com, grew global telecom revenue at IDT, and advised Fortune 500 companies on mobile commerce and payments with The Luciano Group. He is the author of several books, including Digital Habits and The SmartPhone Wallet, which became an Amazon #1 bestseller in its category. David holds a Master of Business Administration from the University of Miami and a Bachelor of Arts from Boston College.

One thought on “#82 – The Phishing Paradox: Why Security Training Might Be Making You MORE Vulnerable

  1. Pingback: Co-Founder of CyberHoot, Craig Taylor on DIY Cyber Guy – DIY CyberGuy with David W. Schropfer

Comments are closed.