Jason Thatcher

Professor

Faculty/Staff

PHISHING TESTS ARE NECESSARY.  BUT THEY DON’T NEED TO BE EVIL. 

In a digital article at Harvard Business Review, we identify strategies firms can use to win employee buy-in to phishing tests.

Although phishing tests can be helpful to protect users, using questionable tactics has the potential for harming relationships between a company and its employees. In a large-scale field experiment, we found evidence that phishing tests can indeed cause users to view cybersecurity as agents of harm, which, in turn, evoke feelings of betrayal by the organization. Given that phishing tests routinely help cybersecurity professionals spot gaps in defenses and shore them up, how can organizations stop employees from regarding them as unfair, unethical, and unjust? Our research suggests savvy managers employ the following three principles that balance the need for cybersecurity with employee well-being: (1) testing teams, not individuals (2) don’t embarrass anyone, and (3) gamify and rewarding participants.

The paper is co-authored with Ryan Wright (University of Virginia) and cites work by Dan Pienta (Baylor University).

Recommended citation:  Wright, R., and Thatcher, J.B. (4/1/2020). “Phishing Tests are Necessary. But They Don’t Need to Be Evil.” Harvard Business Review.

URL: https://hbr.org/2021/04/phishing-tests-are-necessary-but-they-dont-need-to-be-evil?ab=hero-subleft-1 

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Information

email: jason.thatcher@temple.edu

skype: jason.bennett.thatcher

Office Hours

By appointment from Monday through Friday.

I do not consistently respond to messages between 6 PM and 10 PM on weeknights or weekends.

Skip to toolbar