It’s hard for us to remember irregular habits, like spotting threats. It’s much easier to remember procedures you do every day or even weekly.

This goes to why employees need more “safe, regular practice” at spotting threats:

The procedures we learn to do on a daily basis become automatic. These are the tasks of our jobs. We know them well.

Most of us can spot a routine “spam” message as we do our daily email. But when an attacker creates a believable pretext, they create an exception to our normal habit.

Unless we set aside specific time on a regular basis to do email or handle voicemails, each unexpected inquiry is an event that interrupts us from the task we were focusing on. This is when attackers create situations that “short circuit” our normal habits for detecting threats by using emotional triggers.

Security awareness paradox

It’s been a “super-fantastic” experience to see people learning and talking about security threats.

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

    I once heard a sales coach responding to a class attendee about why a certain line of questioning works. The student had commented that, “These questions are so obvious that the prospect will spot them and will shut down”. The coach then proceeded to ask a series of questions to the prospect that led him into a trap, which he absolutely was not able to spot. The rest of the class was laughing as they realized the trap and the student wasn’t spotting it himself.

    This is how effective social engineers work.

    Without practicing spotting the subtle techniques used by attackers in a safe environment, we have a hard time spotting a suspicious message.

    So, before you get frustrated with employees who fail to spot what looks like an obvious attack, put yourself in their shoes, with all their tasks and habits.

    If you don’t give employees a continuous program of exercising good cyber hygiene, in a way that builds their confidence, they will be susceptible to being tricked.


    Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.