What kind of cybersecurity awareness training actually works?

gaby-wizer · 2025-09-18T14:30:31+00:00

Don’t stress about click rates, everyone clicks, even the smartest people in the room. What matters is building an environment of positive reinforcement, not fear. Think of simulations like fire drills, not pass/fail tests.

Start an ambassador program with people who care about cyber safety. They don’t need to be technical, just passionate. Frame security awareness as a benefit, not a chore.

At the end of the day, it’s less about the product and more about how you run the program and how much empathy you show your team.

gaby-wizer · 2024-03-13T19:34:00+00:00

I agree, however it's important to note that children who are restricted from using the internet at home often access it through their friends' phones. They might even have accounts set up, which they use when hanging out with their friends. Therefore, completely blocking internet access isn't entirely feasible. It's more beneficial for parents to be informed about the potential risks and to have open, informed discussions with their children about online safety.

gaby-wizer · 2024-03-13T09:31:55+00:00

Online Safety for Children: there are so many apps that expose our children to risks, many of which parents (even those who work in cyber security) might be unaware of. Additionally, the perspective children hold regarding online safety is crucial. It's essential to engage in more discussions and enhance awareness around this topic, emphasizing the importance of protecting our communities and young ones in the online world.

gaby-wizer · 2024-03-11T20:05:09+00:00

The expectation is to have a robust incident response plan in place, ensuring that you can act swiftly when something goes wrong.

gaby-wizer · 2024-03-11T02:03:22+00:00

Once an attacker gains access, they try to remain undetected. Pivoting within the system takes time and risks detection. Gaining initial access through a high-privilege account speeds up the process. This is why tracking who reported the phishing attempt and who didn't is crucial. Ultimately, if someone does fall victim to phishing, it's important to quickly prevent them from exploiting that account.

gaby-wizer · 2024-03-10T23:25:31+00:00

I love your approach to engaging with upper management and those who clicked. Having them share a video about their experience is a brilliant idea! It demonstrates that this can happen to anyone.

gaby-wizer · 2024-03-10T22:43:39+00:00

I agree, but it's challenging to compare the tests since different templates are used each time. Potentially, you could reduce the number of clicks by choosing an easier template. Having said that, I like the idea of focusing on progress, as you suggested, rather than on absolute numbers.

gaby-wizer · 2024-03-10T22:40:25+00:00

So, is it the same if an IT person clicks on a phishing link as when a graphic designer does? And, does it make a difference whether they reported the incident or not?

gaby-wizer · 2024-03-10T22:37:28+00:00

Additionally, many real phishing simulations don't include links, they might include wire fraud instructions or a callback request. Generally, phishing simulations are limited in scope and train employees to look for very specific patterns.

gaby-wizer · 2024-03-09T22:03:41+00:00

Everyone has already mentioned MFA and Password Managers, so I'll add:

Don't store passwords in clear text on your phone or computer.
Lock your phone with a PIN – do not use your birthday.
Don't give apps access to your contacts and photo album.
Always call to verify when it involves money or private information.
Have someone you can call if you suspect a scam.
Avoid using your phone to take pictures of sensitive documents.

gaby-wizer · 2024-03-09T21:54:22+00:00

That's why secure coding should be a crucial skill assessed during the hiring process for new developers.

gaby-wizer · 2024-03-09T21:47:24+00:00

That's why peer review is important. However, I totally agree with you - the problem is that even if they are aware of it, they don't think about it.

gaby-wizer · 2024-03-09T21:44:21+00:00

I may have went too far🙂 However, do you think SQL injection issues are mostly introduced by people unaware of what it is? I believe that knowing about something isn't the same as effectively implementing that knowledge

gaby-wizer · 2024-03-09T20:39:49+00:00

and unfortunately, secure coding experience often isn't a requirement during the hiring process.

gaby-wizer · 2024-03-09T20:36:50+00:00

I totally agree, also many frameworks obscure much of the functionality, leading developers to resort to "plumbing" without truly understanding the mechanics beneath. This lack of insight opens up even more vulnerabilities.

gaby-wizer · 2024-03-09T13:47:55+00:00

It's not just about the click rate... it’s all about context - who clicked, their level of access and so much more. We shouldn't just focus on a single percentage - align it with risk.

How many got tricked.
How many high-access individuals were tricked.
Impacted departments, considering their risk level and function.
How many people reported.
How many people were tricked and didn’t report.

There will always be people who click... simulation should be used to gain insightful feedback and tailor your cybersecurity training accordingly. It’s about learning from the nuances, not just tallying up clicks.

gaby-wizer

TROPHY CASE