PHISHING TESTS ARE NECESSARY. BUT THEY DON’T NEED TO BE EVIL.
In a digital article at Harvard Business Review, we identify strategies firms can use to win employee buy-in to phishing tests.
Although phishing tests can be helpful to protect users, using questionable tactics has the potential for harming relationships between a company and its employees. In a large-scale field experiment, we found evidence that phishing tests can indeed cause users to view cybersecurity as agents of harm, which, in turn, evoke feelings of betrayal by the organization. Given that phishing tests routinely help cybersecurity professionals spot gaps in defenses and shore them up, how can organizations stop employees from regarding them as unfair, unethical, and unjust? Our research suggests savvy managers employ the following three principles that balance the need for cybersecurity with employee well-being: (1) testing teams, not individuals (2) don’t embarrass anyone, and (3) gamify and rewarding participants.
The paper is co-authored with Ryan Wright (University of Virginia) and cites work by Dan Pienta (Baylor University).
Recommended citation: Wright, R., and Thatcher, J.B. (4/1/2020). “Phishing Tests are Necessary. But They Don’t Need to Be Evil.” Harvard Business Review.
URL: https://hbr.org/2021/04/phishing-tests-are-necessary-but-they-dont-need-to-be-evil?ab=hero-subleft-1