Platform

Unify HRM Overview

Platform

Capabilities

Identify: Human Risk Operations Center (HROC)
Dashboards

Power Insights

Benchmarks

Protect: Action Plans
Nudges: Communications & Employee Scorecards

Training: Risk Based SAT and Phishing

Orchestration: Policy Playbooks

Report: Human Risk Index (HRI)
Employee Scorecards

Manager Reporting

Board and Executive Reporting

Bundles

Unify Go
Start your journey to HRM here.

Monitor risk by:

Security Training Compliance

Phishing and Email

Unify Enterprise
Covers risk in Unify Go and adds:

Malware & Ransomware

Data Loss

Account Takeover

Featured Resources

Living Security Blog
What is Attack Surface Management?
link

Living Security Blog
Why Your Team Should Have A Business Continuity Plan
link
Solutions

Solutions Overview

Solutions

By Role

CISO
Provides CISO’s, executives, and boards a complete picture and prioritization of workforce risk by type, department, location, and more.
link

Security Awareness Team
Go beyond training completion and phishing click rates and proactively safeguard your organization from human-induced security incidents.
link

GRC
Identify, resolve and track commonly violated policies with granular accuracy to lower risk and improve workforce compliance.
link

SOC/IR
Unleash the true potential of your human firewall with data-driven insights and action plans that curb threats before they become incidents.
link

By Risk

Training Compliance
Monitor training compliance status for users and segments across the enterprise.
link

Phishing & Email
Identify the users most and least at risk to social engineering attacks and protect them.
link

Malware & Ransomware
Proactively protect users from malware including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
link

Data Loss
Pinpoint when data is at risk of leaving your controlled environment through unauthorized access or malicious intent.
link

Identity Threats
Get visibility into the most susceptible users for account compromise and mitigate their risk.
link
Products

Products

Products Overview
Transform how your organization approaches Security Awareness and Training by shifting to a proactive HRM approach that creates a strong culture of security.

Living Security Blog
What is Attack Surface Management?
link

Unify Human Risk Management
Establish a proactive security loop.
Security Awareness Training
Interactive compliance training for modern threats.
CyberEscape Rooms
Put your team in the center of security scenarios
Cybersecurity Awareness Month
Create a cyber vigilant workforce in October
Cybersecurity Engagement Training Go beyond compliance training Phishing
Stop social engineering attacks in their tracks with realistic simulations and training
across phishing, vishing, smishing, and more.
HRM

HRM

Human Risk Management: Proactive Security
Human Risk Management (HRM) is the process of identifying, assessing, and mitigating risks associated with human behavior in relation to an employee's use of technology.
HRM Maturity Model
How far is your company along the path to true proactive security?

Living Security Blog
What is Attack Surface Management?
link
Resources

Resources

Resources
Level up on Human Risk Management with a comprehensive collection of webcasts, whitepapers, ebooks, and more.
Blog
Access hundreds of informative blogs with deep dives and best practices relating to the full array of cybersecurity risks we face.
Webinars
Watch dozens of webinars tackling some of cybersecurity’s biggest challenges featuring thought leaders from leading organizations.
Case Studies
See how a variety of organizations utilize Living Security’s HRM Platform, Training, and Phishing to reduce risk with proactive defense.

Partners
Human Risk Management Powered by Partners.
Technology Alliance Program
Extend the value of your offering with HRM.
Partner Support
Unlock your potential with our partner hub.

Living Security Community Share HRM best practices Newsroom Read the latest news on Living Security. Support
The more you know, the more you grow.
Why Living Security
Establish a proactive security loop.
Start Now

August 25, 2021

5 Questions to Decide if Your Phishing Simulation Training Is Ethically Sound

Many companies conduct phishing simulations to test employee’s readiness for email-based social engineering attacks.

But sometimes the phishing campaign is met with strong resistance internally, especially if employers approach tender topics that make employees feel unfairly deceived. And when your cybersecurity awareness training program pushes fear or shame, these campaigns are often not successful.

Phishing campaigns should be an opportunity for Security Awareness Program Owners to build a culture of education and support, not one in which users resent employers for sending emails that hit too close to home.

Here are a few questions to ask yourself before launching a campaign to see if you’re taking your phishing simulation too far:

1. Does this phishing simulation unfairly play on employees’ trust in the organization?

Generally speaking, employees trust their organization to protect their personal information, maintain their current workplace benefits, and operate according to a certain standard of ethics. So when an employer breaks that trust by sending a purposely manipulative phishing email leading employees to believe their personal safety within the workplace is at risk, it can leave a lasting impression on your team.

You may think, “Social engineers use manipulative tactics to trick people; therefore, a realistic phishing simulation should do the same,” but there is often a fine line between realistic and harmful. Phishing campaigns that capitalize on the emotional well-being of their recipients often reflect poorly on your organization and leave employees irritated and upset.

Here are a few examples of phishing messages related to employees’ work security that could unfairly toy with your team’s trust:

Bonus payouts. “Thanks for your hard work—here’s your annual bonus!”

Losing work benefits. “This has been the third consecutive month we did not receive your healthcare insurance payment. Effective tomorrow, we’re revoking your coverage.”

Termination notices. “Notice of Termination: Effective Immediately.”
Personal possessions within the workplace disruption. “In last night’s burglary, contents on your desk were stolen.”
Personal company-protected data leaked. “Our company was the victim of a data breach that could have potentially exposed personal information, such as your home address, phone number, etc., to cybercriminals.”

In these situations, the phish affects more than just your workplace environment: it directly targets the employee. Notice how the typical phishing schemes about missed package delivery notices or unpaid invoice requests often deal exclusively with business operations, while threatening an employee’s psychology or financial safety is directly aimed at the individual.

“Using highly emotive bait such as bonuses and healthcare—especially in the context of COVID-19—plays games with the emotional well-being of recipients, which in turn can harm psychological safety, trust, and culture within the workplace,” says Dr. Jessica Barker, co-CEO and co-founder at Cygenta, and we have to agree.

People don’t like to be deceived and often don’t like the people who deceive them. Don’t leave a sour taste in your employee’s mouths by personally scaring or angering them in poorly positioned phishing simulations.

2. Does this phish threaten employees’ homes or personal security?

Just as personally-targeted work-related messages attack an individual’s emotional well-being, dragging an employee’s home life into your phishing campaign is often a big no-no. Any phishing message that relates to an employee’s safety outside of the workplace has no place in a corporate phishing campaign.

For example, a work email phish stating an employee’s personal banking account was breached or that their home security system detected a break-in is not an ethical practice. While it’s true that highly specific, fear-based phishing emails are often the ones people fall for, your employee is likely to feel resentful of this personally invasive trick and will not appreciate you bringing their home life into the workplace setting. Stay far, far away from dragging your staff’s personal property into a professional phishing setting.

Check out our webinar, “Metrics, Training, Culture - Why Your Phishing Program Isn’t Working,” where our co-founder, Drew Rose, talks about the ethics of phish testing employees and poses the question, “When are we taking it too far?”

3. What is the potential impact of this email on employees’ mental health?

In the two questions above, you’ll notice the focus remains on your employee’s mental health. By inciting anxiety and panic in a way that threatens their psychological safety, you are causing your employees unnecessary stress and eroding their very trust in your organization.

Before hitting send on a phishing campaign, review the message again and ask yourself how the tone could be perceived by employees. Is this campaign empathetic of their personal boundaries and respectful of their well-being? Seek help from an occupational health advisor on how it might affect the team and your cultural perspective, if unsure.

4. Am I genuinely trying to change behavior, or am I purposely trying to get them to click?

It’s important to pulse-check your motivation for sending a phishing message before launching the campaign. What’s your goal for sending the phish? Is it to positively promote learning and nurture employees on best practices for avoiding cyber threats? Or is it to earn lots of clicks so you can show management how you turned those phishing click rates around after a year or two of simulation training?

The point of a phishing campaign is not to fool employees and make it look as though you’re effecting cultural change. It’s to actually train employees so that they don’t fall for phishing attacks. It’s to educate and empower your team to recognize and report suspicious messages with the goal of benefitting your employees and organization’s security at large.

If you find yourself trying to fool employees to prove how great you are at crafting clever phishing emails, we urge you to reassess your motive and the impact you hope to leave long after the campaign comes to an end.

5. Am I following up on the phish?

You spend so much time developing and orchestrating your phishing campaign, but after all the results are in, how are you sharing them with your team? If you are making employees go through your phishing training, the least you can do is share how they did as a whole at the end. If scalable, you could even share individual feedback with employees who failed and provide resources for them to improve their awareness for next time. Remember, this is an opportunity for you to support and empower your users, not make them feel ashamed for their mistakes.

Consider sending out a mass email to participants and giving a few shoutouts to people who caught the phish for the ruse it was, while still being kind to those who failed and providing valuable feedback that all employees could learn from.

The Foundation for an Ethical Phish

It can be difficult to ensure a phishing simulation is ethically sound. But when your employees’ psychological well-being and your organization’s culture are at stake, it’s crucial to get it right.

Never worry about the ethics of your phishing simulation again with help from Living Security’s phishing simulation training. We provide pre-written phishing content screened and tested for its ethical integrity: content that considers all the questions in this article and more. Best of all, our team can offer guidance about your own unique campaign. Contact us to learn more today.