If you had to choose between regular cyber security training and simulated phishing testing, the data shows you should choose simulated phishing tests. This revelation underscores a fundamental shift in cyber security education over the past decade. When choosing a reliable partner such as PhishFrenzy, you get the best of both!

The Evolution of Simulated Phishing Tests

When the security awareness training (SAT) industry began over a decade ago, there was a considerable amount of controversy surrounding the use of simulated phishing tests. The concept was novel, and some viewed it as potentially unethical and unnecessary. Early IT administrators sometimes faced backlash for conducting unapproved simulated phishing tests, especially when high-ranking officials like CEOs were caught off guard.

Initially, a phishing simulation should always be known and approved by management. After that, it can become a normal routine. Today, the landscape has changed significantly. Phishing simulations are now recognised as one of the best educational tools available to an organisation’s cyber security stack. However, even though there are organisations that conduct these tests, there’s still a debate about the frequency.

Recommendation: Conduct simulated phishing tests at least monthly, and preferably weekly. Don’t have someone to manage this? PhishFrenzy Can Help!

The Data Speaks

Long-term data consistently shows that the more frequently an organisation conducts training and simulated phishing tests, the less likely their users are to click on phishing emails. If possible, both training and testing should be implemented together, reducing overall risk to the organisation.

Organisations that solely perform simulated phishing tests have better “phish-prone rates” than those that rely only on conventional training. This outcome aligns with decades of educational research showing that testing enhances long-term retention of material.

In Dr. Charan Ranganatha’s, “Why We Remember,” he states, “…there are no laws in the science of memory, but the benefit you gain from testing as opposed to studying (aka the testing effect), is almost as reliable as gravity.” His research and classroom experience support frequent testing as a method to improve long-term learning.

Recommendations

Get Management Approval

Always secure approval from senior management before initiating simulated phishing campaigns. Conducting these tests without prior approval can lead to unnecessary complications. Ensure that both the type and frequency of testing are approved.

Apply Both Training and Phishing Simulations

Ideally, combine conventional training with simulated phishing. Start with comprehensive training sessions (15-45 minutes) for new hires and annual refreshers. Follow these with shorter, more frequent training sessions (5-10 minutes) throughout the month. This approach ensures users are well-prepared and reinforces their learning continuously.

Don’t Warn Users About Pending Tests:

Inform users that simulated phishing tests are part of the cyber security protocol but avoid announcing specific tests. Pre-announcing tests can skew the results, as users will be more cautious than usual, defeating the purpose of the exercise.

Note: Avoid informing specific groups, such as senior management or support staff, about upcoming tests, as this undermines the test’s effectiveness. Real-world phishing attacks do not come with warnings, and neither should simulated tests.

Test & Train Everyone

No group should be exempt from testing, including senior administration and IT staff. These groups are often prime targets for real-world phishing attacks. We’ve seen it all, including credentials submitted from users responsible for finance, HR, and even IT. It’s important to ensure they are included in tests to enhance their awareness and preparedness.

Increase Frequency

The more frequently simulated phishing tests are conducted the better the results. While some organisations may find more than one test per week excessive, substantial improvement is observed when tests are conducted at least quarterly. The optimal frequency is monthly to weekly. It only takes one vulnerable user for a cybercriminal to do a considerable amount of damage.

Facilitate Quick Reporting

Provide users with an easy way to report suspected phishing messages. Nobody wants to be filling out forms. Tools like the ones we deploy (a phish alert button) simplify the process, allowing users to report and delete suspicious emails with a single click.

Immediate Feedback

Provide immediate feedback to users who fail simulated phishing tests. When a user fails, we share a detailed analysis of the “red flags” in failed phishing attempts, helping users learn from their mistakes promptly.

Quick Responses

Research shows that quick feedback and immediate action are crucial for effective learning. Prompt responses to reported phishing messages or failed tests help reinforce lessons and improve long-term retention.

Diversify Content

Avoid repetitive training and testing. Vary the topics and types of content to keep users engaged and cover all aspects of cyber security. This includes different phishing techniques (email, SMS, spear phishing, vishing) and diverse training formats (videos, animations, gamification).

Training should also address broader cyber security issues, such as social media behaviour, password security, and general cyber security awareness. A holistic approach just like how we provide, ensures comprehensive education and a stronger security culture.

Mix up the Difficulty

As users become proficient at identifying basic phishing attempts, increase the complexity of simulated tests. This gradual increase in difficulty ensures continuous learning and challenges users to improve their detection skills. At PhishFrenzy, we randomise simulated phishing emails from 1-5 stars based on their difficulty ratings.

Make it Fun

View phishing simulations as a game or challenge within the workplace rather than a pass/ fail test. This approach encourages users to engage with the material positively and reduces resistance to frequent testing. Top of the leaderboard gets Phish ‘n’ Chips!

Include Quizzes

Although the learning is bite-sized, we also suggest incorporating short quizzes at the end of training sessions. Frequent testing reinforces learning and improves long-term retention. Ensure the quizzes are concise and straightforward, focusing on reinforcing key lessons.

Understanding the Main Importance

The shift towards prioritising simulated phishing tests over traditional training is both logical and backed by substantial evidence. The effectiveness of testing in reinforcing learning and improving retention is well-documented across various educational fields. In cyber security, where the stakes are incredibly high, the ability to identify phishing attempts quickly and accurately can mean the difference between a secure network and a devastating breach.

While conventional training remains crucial for providing foundational knowledge, simulated phishing tests offer a practical, hands-on approach that better prepares users for real-world scenarios. By integrating both methods and adhering to best practices, organisations can create a robust security culture that significantly mitigates risk.

Simulated phishing tests are a powerful tool in your cyber security stack. By combining training with frequent tests, providing immediate feedback, and continuously adapting based on results, organisations can significantly reduce their vulnerability to phishing attacks. As the cyber security landscape evolves, so too must our strategies for education and prevention. Reach out to PhishFrenzy and see how we can help today.