Within our organizations, there are those employees who consistently exhibit mindfulness, avoiding every phishing attempt. Yet, there are also those users who, despite repeated education efforts, habitually fall prey to phishing emails and simulations, neglecting the tell-tale signs of social engineering. These individuals are known as "frequent clickers."
A question we often encounter is how to increase the mindfulness of these frequent clickers so they become less susceptible to phishing tactics. Transforming them into the always mindful "never clickers" is a challenge, but we do have some insights and approaches to offer.
In the context of cybersecurity and preventing risky behaviors such as clicking on phishing emails, "mindfulness" refers to a state of active, open attention to the present. More specifically, in this scenario, mindfulness can be broken down into:
- Awareness: The individual is fully aware of their actions and the potential dangers that come with every email they encounter, demonstrating attentiveness to the unique elements of each communication.
- Recognition: The ability to recognize tell-tale signs of phishing, such as suspicious links, unfamiliar sender addresses, and urgent or threatening language that requests personal information.
- Focus: A mindful individual maintains focus and doesn't act on auto-pilot when navigating emails. They take the time to scrutinize each message rather than quickly clicking through without considering the consequences.
- Intentionality: Actions are taken with purpose and intention. The individual deliberately chooses whether or not to engage with an email based on their assessment, rather than reacting impulsively.
- Responsiveness: Instead of reactively clicking on links or attachments, a mindful person is responsive to training and best practices, using these tools as a guide for secure online behavior.
In essence, in the context of cybersecurity, mindfulness is the deliberate and attentive management of one’s interactions with digital communications, with the intention of preventing security breaches and maintaining informational integrity.
Our understanding begins with an interesting observation from Dr. Matthew Canham's anti-phishing research. A renowned researcher and ally of KnowBe4, he has delved deeply into what influences people's likelihood of clicking on phishing emails. During one particular study, a significant incidental discovery was made.
Dr. Canham differentiated between those who had never responded to a phishing attempt ("never clickers") and those who frequently did ("frequent clickers"). Each participant was asked to choose a "code word" for use in later anonymous interviews, allowing survey answers to be linked without compromising anonymity.
Surprisingly, all "never clickers" showed impeccable mindfulness in remembering their code word. In stark contrast, the "frequent clickers" consistently forgot theirs. This suggests that mindfulness, or the lack thereof, may contribute to the vulnerability seen in frequent clickers. Although this is an initial finding, its implications are profound enough to warrant further exploration.
Recognizing that mindfulness may be a factor allows us to develop targeted strategies. An initial step might be to amplify the regularity of security-awareness training and simulations—monthly training is advisable, but for those less mindful, a weekly reminder may reinforce their awareness and recognition.
RELATED READING Inception: Your Employee's Mind is the Scene of the Crime
For social engineering exercises, while diversity in themes usually benefits the workforce at large, for less mindful frequent clickers, it might be beneficial to maintain a consistent theme until they demonstrate consistent recognition and reporting of phishing simulations. This focused approach can nurture their alertness and recognition and build their confidence. Once successful with one theme, they can be gradually introduced to new ones, reinforce their focus and responsiveness.
It's also useful to directly engage frequent clickers about how they can become more mindful. Many are aware of their challenges and know what learning strategies are effective for them. Insight from their own experiences may illuminate how to tailor their training for better outcomes.
Furthermore, as frequent clickers begin to show progress, encouraging them to participate in the gamification functions (reporting suspicious emails) which reinforces their learning. Being acknowledged by peers is a powerful reinforcement tactic. When they are on par or better than average, ask them to participate and become a security champion. Teaching is a powerful way to internalize knowledge, and it could inspire and foster improvement amongst the broader group of frequent clickers.
Transitioning frequent clickers into never clickers is definitely a challenge. However, by increasing training frequency, limiting subject variability, customizing education to individual needs, and reinforcing behavior with gamification, we stand a better chance of success. These measures benefit not just the individuals, but also strengthen the organization's overall security culture.