Cybercriminals have been utilising emails to phish their victims for 30 years without notable reductions in breaches.

Despite many organisations now employing technical solutions to help limit the number of phishing emails landing in employee’s inboxes, continual changes in cybercriminal strategy have left the number of phishing breaches largely unchanged.

Employees continue to be the ultimate phishing combatant due to current limitations in technology, yet their own constraints are often misunderstood. Organisations are now applying more focus to human-based interventions however more needs to be done in relation to what an employee requires to become competent, motivated and feel socially empowered to keep their organisation secure.

Whilst discussions around this topic reach far wider than the scope of this report, a number of important factors are considered around how organisations can better manage human risk in relation to phishing, and what should be expected of any intervention tools organisations choose to employ. Current success barriers for both educational and ‘in-the-wild’ phishing interventions are discussed, alongside solutions indicative of OutThink that work to overcome these challenges.

To mitigate human risk in phishing, organisations (and the tools they choose to employ) must offer interventions that work within human cognitive constraints whilst considering all aspects that can influence behaviour. Awareness interventions should offer training focused around motivational and cultural aspects of behaviour, as well as the more technical competencies usually assigned. Any competency-based training should support the full 100% of human decision-making by reinforcing new cognitive strategies that can become habitually applied during heuristic processing.

Phishing simulation tools should offer further ‘in-the-wild’ training that focuses on the application of these new cognitive strategies. These tools should have the ability to target organisation risk hotspots as well as current phishing trends to ensure the effective application of company time and budget.

Finally, to avoid feelings of anger and victimisation simulation tools should communicate to employees as active researchers as well as promote their primary goal as an educational tool.