How To Avoid Bursting the Buy-In Bubble

SecurityAwarenessTrainingNaySayers.jpgYou know the feeling.

You’re excited about something. It’s new, it’s interesting, and you’re ready to go.

But then something happens and all of a sudden that excitement just drains away, to be replaced with a resounding “Meh.”

Sadly, this is exactly what happens with many anti-phishing programs. When the program launches users are excited, engaged, and raring to go. But over time, that all fades away.

And you know what? One factor plays a huge part in this undesirable process, and it’s totally within your control.

The Reporting Black Hole

Just for a moment, think about what you’re asking your users to do. They have their own jobs to do, including a whole boatload of pressing deadlines, priorities, and worries.

What you’re asking for is far from insignificant: Every single time they look in their inbox, you want them to check each email carefully to make sure they aren’t malicious. Then, if they do come across a suspicious email, you want them to report it so you can investigate.

You know what kills their desire to do all that? When you don’t even take a moment to say thank you.

Think about it. Your users spend their valuable time consuming your training, internalizing it, and responding to your monthly phishing simulations. They check each email they receive carefully, looking for signs of malicious intent.

Eventually, they come across an email they think might be malicious. They click the report button, and…


No confirmation that their reported email has been received. No clarity over whether the email really was malicious or not. Not so much as a perfunctory “Thanks for your help.”

At PhishLabs we call this phenomenon the reporting black hole, and in our experience its one of the fastest ways to burst the buy-in bubble. Not only that, over time it can lead to a dramatic reduction in report rates as users become disenfranchised with the program, and they cease to take it seriously.

And the worst thing? All of this is totally avoidable.

3 Steps to More Engaged Users

Thankfully, avoiding the reporting black hole trap is easy to do. All you have to do is follow three simple steps:

1) Setup an automatic email response

Perhaps the most frustrating thing about the black hole is that users can’t be sure their reported emails are being received. After all, nobody is taking the time to tell them, so for all they know their reported emails could be going to the completely wrong inbox.

That’s why the first step to keeping your users engaged and reporting is simple. Just setup an automatic email to be sent each time a user report comes in. That way, at the very least, your users won’t be worried about whether their reports are being received.

2) Say thank you

Yes, this really makes a difference. A simple “Thanks for helping make our organization more secure” will make your users feel good about reporting suspicious emails. And you know what happens when people feel good about something? They keep doing it!

Oddly, even including this thank you message in your automatic emails makes a huge difference. Thanking people personally is more powerful, of course, but that can be achieved at centralized training sessions. For now, simply add a short note of thanks to your automatic email response and enjoy the increased buy-in that will naturally follow.

3) Let users know if their reported email turn out to be malicious (or not)

If you’re willing to go a stage further than an automated thank you email, the next step works wonders for user engagement. Each time you investigate an email, take a moment to let the user who reported it know whether or not it was malicious. If it was, they get to feel good about themselves, and see what a direct impact they can have on the security of the organization. If it wasn’t, they can action the email (if necessary) and they have an opportunity to briefly discuss their reasons for reporting the email with a security expert.

Either way, it’s a win/win.

A Comprehensive Approach to Anti-Phishing

In many cases, the difference between successful and unsuccessful anti-phishing programs are minor. As we’ve seen here, the lack of a simple automatic thank you email can dramatically reduce the number of reported emails you see over time.

Of course, there are plenty of other factors to consider. To find out how you can develop a world-class anti-phishing program, register for our free on-demand webinar: Best Practice for Enterprise Phishing Protection.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Stacy Shelley. Read the original post at: