I love *so many* things about this post. I’d like to take a minute though and add to this and offer a slightly different perspective.

Let’s talk about how phishing simulation, if done right, can be a good thing. https://twitter.com/sean_a_cassidy/status/1265396812812136448

Phishing simulation is just *one* tool in the toolbox when it comes to email security. There is so much you can do to stop or flag phishing emails before they hit the inbox.

It’s the last line of defense- not the only one.

When it comes to running simulations, remember the problem you’re solving.

For me, I want to:

* Give coworkers a chance to practice good habits (and reward them for doing so!)
* Use it as an opportunity to build trust between the security team and our coworkers

Phishing simulations are a great way to practice good habits. And by that, I mean reporting any suspicious emails.

The metric you should care most about is the number of emails reported. Then take the time to celebrate the people who do the right thing. After all, had this been a real incident, they could have saved the day!

This also means you need an easy way to report phishing emails.

When it comes to building trust in phishing simulations, it’s just as much about what you *don’t* do than it is about what you do.

Here are some things you shouldn’t do:

Don’t use sensitive topics as pretexts. Things like paychecks, health, or benefits. Yes, they are used by attackers and yes, they are effective.

But you also lose the trust of your coworkers, and you can’t get that back.

A metric in a chart isn’t worth your coworker’s trust.

Don’t punish coworkers who click the link. They are just trying to do their job.

And remember that “punishment” can be as simple as the wording on your landing page, so be thoughtful about what they see if they click. Be there to help, not hurt.

Instead, go above and beyond to reward the people that do the right thing. And take it as an opportunity to remind folks that their friendly security team has their back and are always there to help.

Now let’s talk about some things you should do!

First, be incredibly open about why you’re doing phishing simulations. Too often, they’re hidden to “make it like the real thing”.

By being open about what you’re doing and why, there’s less risk of employees feeling like you’re out to trick them.

Have a clear place for coworkers to report emails and *respond* to them. The worst security teams are the ones behind a faceless inbox black hole where emails go to die.

Remind folks that there is a team that has their back and appreciates them doing the right thing.

Reward the employees who report the phishing emails (did I mention that?). This feedback builds relationships and trust within the organization.

I’ve seen gift cards, stickers, email shoutouts cc’ing their manager, etc. They helped look out for the company- be excited for them!

And last, remember that there are people behind the email addresses just trying to do their best work.

By building empathy into the way your operate as a security team, simulations can make your last line of defense a little stronger, and it can build trust across an org.

And remember- it’s just one tool in the toolbox.