How to deal with individuals who repeatedly fail phishing simulations

In most companies, a small percentage of employees repeatedly fail phishing simulations. These “repeat responders” should be addressed through frequent phishing exercises to build muscle memory in identifying a phish. The cybersecurity team should work to identify what other resources are needed to reduce the tendency for repeat responders, i.e., identify process or technology updates that will change the way a repeat responder operates. Positive reinforcement, including rewards and public recognition for those who report phishing attempts, can be effective in motivating others in the company to get with the program. Finally, shifting training to include gamification and specific stories about phishing consequences can make all employees more cyber aware. This piece explains the underlying issues behind repeat responders to phishing simulations and recommends steps to address them.