Many methods of corporate cybersecurity training are often, by their nature, specifically designed to trick employees.
Phishing tests arrive in the form of emails masquerading as messages from an altogether different—and more intriguing—sender, with subject lines gushing with attractive but false promises. The tactic is a surefire way to catch inattentive employees with their guards down; it’s also an easy method for targeting exactly who at the firm most needs to have additional cybersecurity training.
The downside? Phishing test emails can result in irate workers who often see the deceptive messages as unfair or unethical.
So how might managers balance the thorny maneuvering required for maintaining a well-defended company while also protecting employee well-being?
In a recent Harvard Business Review article, Commerce Professor Ryan Wright and his coauthor, Professor Jason Bennett Thatcher of Temple University’s Fox School of Business, discuss three ways managers can adroitly walk the line to find worrisome gaps in employee preparedness without causing a rift between supervisors and those they manage.
In the HBR article, “Phishing Tests Are Necessary. But They Don’t Need to Be Evil,” Wright and Thatcher discuss three principles derived from their research that offer practical guidance: 1) simultaneously test teammates within the same departments; 2) create a culture of information sharing by recognizing efficient responses rather than embarrassing individuals; and 3) gamify and reward through fun competitions that provide helpful feedback by coaching underperforming groups.
Read the full article at HBR.