Social Pressure -> Good Security Hygeine

Travis Good
November 16, 2020

Phishing is something every company should be actively trying to prevent. Phishing is the most commonly exploited threat to your company’s data.

Phishing attacks are by and large email attacks. They can take other forms, including messages through SMS and even Slack, but these are much, much less common. Phishing messages attempt to coerce a recipient into taking action, usually clicking a link to a bogus website where the recipient enters sensitive information.

While email platforms like Gmail and Outlook detect and block many phishing attempts, a large percentage of these nefarious emails invariably make it into inboxes. This means your employee’s discretion and critical thinking skills are the last line of defense against phishing attacks. It is up to them to open and click or not to open and not to click.


This is why your Security Awareness Training should have a main focus on phishing. The goal of training is to improve security hygiene, especially email hygiene in the case of phishing prevention. Security hygiene is dependent on employee behavior. Improving security hygiene means improving, and typically changing, employee behavior.

How do you influence employees to practice better security hygiene?

Training is a key part of improving security hygiene. Phishing training can take different forms. 

Traditional phishing training teaches employees what elements of an email are suspicious. Additionally, training also covers how to report such a suspicious email, what to do if you’re a victim of phishing as well as scenarios where the user is presented with a phishing attack that they have to work through.

Phishing simulations are another form of employee training. Phishing simulations send employees fake phishing emails, usually on some regular cadence. These simulated phishing attacks then track which employees open emails and which employees click on links. Employees then receive training about the fake phishing emails. Companies can track the performance of employees. Companies, in turn, can use these metrics to target interventions with certain employees.

There are also immersive training experiences that put employees into virtual battles against hackers. These red / blue games help employees get into the mind of attackers, which helps employees because all employees are target victims of real attackers. This kind of training falls within the realm of gamifying phishing simulations.

What about socializing phishing?

All of the above approaches to phishing training focus on basic metrics — email opens, clicks, etc — with trends to track performance over time. There are no social aspects that leverage these metrics to increase engagement of phishing training and the promotion of good security hygiene.

Contrast the lack of social in phishing training with a new study that found that “shame and disapproval from fellow employees were among the most effective factors deterring surveyed employees from falling for phishing scams.” This is both obvious and eye-opening!

Taking out the “shame and disapproval” of the linked article, the takeaway is that social factors are powerful in influencing security hygiene.

Why not use social factors to influence security hygiene?

There are a lot of reasons. One of the major reasons is that security events are almost always negatives. Opening a phishing email or clicking on a bogus link is a negative action. Sharing that negative action shames people.

The challenge with phishing is that the positive action is either 1) inaction or 2) reporting of suspicious email. Inaction can be tracked, at least using some time-based method to say “if an email is not opened within 72 hours then report it as unopened”. This is how many phishing simulation apps track phishing simulations today. The unopened events are not shared or used to promote behavior through social validation and promotion of that inaction.

Other than inaction, reporting of suspicious email is the other positive action users can take with a suspected phishing email. If you use Gmail, there is a “report phishing” button that can be used but this is to report suspected phishing emails to Gmail, not to track phishing reporting for your phishing simulation provider or for your company. Gmail does not expose this button action via API so phishing simulation apps cannot track it.

In order to track phishing reporting for metrics, phishing simulation apps need to either create a Gmail button to report suspected phishing attacks or an address to which suspected phishing emails can be forward. With either of those features, data on reporting can be collected. This positive action can then be shared.

Some phishing simulation apps have the functionality to track reported phishing attacks but, like unopened rates, this data is not used to garner social validation. 

Not opening phishing emails and reporting phishing emails are positive actions. They are good security hygiene. These positive actions, if shared, can create a positive feedback loop. This positive feedback loop is powerful, likely almost as powerful as the negative feedback loop of “shame and disapproval” that the study linked above found.

This lack of social engagement around phishing training is a missed opportunity to build user engagement. It also misses the leveraging of social dynamics to promote and solidify positive security hygiene.