Building a Reward-Driven Security Culture

Cole French:

Are you rethinking how your organization approaches phishing training? Are you wondering whether traditional phishing exercises are actually changing behavior or just fatiguing your users? Curious how emerging AI-driven attacks are reshaping the threat landscape and what that means for your security program? Join us for today’s episode where we sit down with Craig Taylor to unpack the psychology behind phishing, why shame-based testing fails and how a multidisciplinary, reward-driven approach can transform user engagement and resilience.

Welcome to the Cyber Compliance & Beyond Podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization, providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward.

We all know phishing is one of the most persistent and damaging threats organizations face. It’s been around for decades and despite new tools, new trainings, and an endless wave of simulations, the problem hasn’t gone away. In fact, it’s only become more sophisticated and more personal as attackers use AI to tailor messages, automate targeting, and operate at a scale we’ve never seen before. But the real challenge isn’t just detecting phishing, it’s rethinking how we teach people to recognize and respond to it. For years, organizations have relied on punitive simulations and shame-based training, hoping this would change behavior. Instead, it’s created fatigue, disengagement, and in some cases, even resentment towards security teams. If we want meaningful improvement, we need meaningful change, a culture where users aren’t tricked, they’re taught, where learning is encouraged, rewarded, and grounded in practical human-centered psychology, where training feels less like a gotcha and more like building a skill you actually want to use.

Joining us today is Craig Taylor. Craig is a 30-year veteran of cybersecurity. In 2014, he founded a cybersecurity training company, CyberHoot, to help small businesses and managed service providers learn cyber literacy. During his career, Craig has led cybersecurity organizations in the web hosting, finance, and manufacturing industries. Additionally, Craig leads a cybersecurity consultancy that has delivered virtual chief information security officer services to more than 50 companies of all sizes and across a multitude of industries. On a personal note, Craig is a Toastmaster, a Rotarian, and a fundraiser for cancer research. We hope you enjoy this episode.

Craig, I really appreciate you taking some time today to come on the Cyber Compliance & Beyond Podcast. And I know we’re going to get into an interesting topic, particularly around phishing, but also around how we conduct phishing and some of the psychology behind how we do it. So why don’t you just get us started with how you approach phishing, what you’ve seen work, what’s been successful, what maybe we could improve upon out there in the industry. I know that phishing is something very common. I think maybe eight to 10 years ago, I remember it was new, but now I feel like most organizations, at least that we work with, do it. All organizations are doing it now, or at least most organizations. So feel free to educate us on phishing.

Craig Taylor:

Sure. Thank you, Cole. It’s great to be here, and I appreciate the opportunity to bring this really existential threat anyone listening to this faces. I’ll try to provide some clarity and grounding to get us started. Phishing is defined as these fake messages. Well, they could be attack messages sent by hackers to our inboxes. And it’s been the number one way any mid-market and smaller company has been breached over the last 25 years. This isn’t a new threat. It’s a perennial threat that has evolved many different ways over the last 25 years. And it really remains today one of the largest ways companies are breached. And when you mentioned phishing over the last 10 years, you heard about it, you’re talking about companies and IT teams and MSPs and managed service providers sending fake messages to the inboxes of users to test them, to see if they can measure and identify and qualify a fake message sent by the good guys, by the IT team, to make sure people aren’t clicking on these things.

And that’s really been the norm for the last, say, 10, 15 years to try to combat this threat that we all face. But the unfortunate truth is it doesn’t work, right? There are many studies that have come out in the last three to five years that say, “Shaming and punishing employees for clicking on fake links doesn’t work.” If anything, it makes your IT team the enemy. It leads to disengaged or apathetic employees who give up and just forward everything to IT, but it just doesn’t change behaviors, right? We know this from a multidisciplinary approach, like my company, CyberHoot, is taking a scientific basis to help change behaviors and improve outcomes. And what I mean by multidisciplinary, if you think about psychology and you go back 75 years, B.F. Skinner said, “Rewarded behaviors are repeated.” He never said punished or shamed behaviors or punished behaviors are extinguished.

Cybersecurity has been on the wrong track for 20 years in this space, punishing employees. So there’s a real opportunity here for companies to reward the good behaviors we want to see more of, to create better solutions that gamify, and we can get into what that means, to bring employees back to the table to trying to learn how to spot and avoid this very common attack threat.

Cole French:

So before we get down into, I guess there’s two sides to phishing, right? There’s, can I detect it, right? As a human being, can I look at it and detect it? And things like that. And then there’s what you are alluding to as well, which is if someone clicks on it, or how do we as an organization handle that? So sticking to the first half of this, as far as what you see from a phishing exercise standpoint, right? So strictly the way in which we’re doing phishing exercises, taking out how we maybe handle the people that click on them, do you think phishing exercises are effective? Do you think even those could be done better or are we learning new things about how to construct phishing exercises to provide more value?

Craig Taylor:

Yeah, you’re absolutely right. You’re starting down the path of like, let’s reevaluate how we... Look, if the goal is to change the outcome so that the employees learn how to fish, think about that old saying, feed a person a fish today, you feed them for today, but teach them how to fish and you feed them for a lifetime. That needs to be applied to what we’re doing here because these mechanisms that you describe of sending a message, it doesn’t matter what a person does after. If we’re sending fake messages to the inboxes as the primary educational mechanism, we’re failing to teach people how to fish because shame and fear and punishment have no business in changing behaviors. What we need to do instead is alert our employees that you have an assignment, you have a phishing simulation to go through. It is not based on tricking the end user with a message to the inbox that if they click on, they’ve lost. They’ve failed the test. And then they have, in many cases, you talk about what the consequences of that are.

We can do even better. Cole, there is a place to send a fake message to the inbox of an employee. But think of it as a final exam in a semester long course on genetics. If you had your favorite teacher of all time, I want you all close your eyes, think about the favorite class you took, high school, university, whatever. Did the teacher start off on day one and say, “Put your books away. We’re having the final exam today.” And everyone fails and then they feel like crap. They feel terrible because they don’t know the material, but that’s what they’re there for. They’re there to learn. How many people drop out of a course like that? If a teacher’s going to test me on the first day, screw it, I’m going to go somewhere else. I’m going to take a different class.

The reality is the best teachers that really got engagement and created lifelong learners in the world are the ones that gave little rewards and little encouragement for the student who got, “Hey, I’m really excited you’re all in this class today. We’re going to learn a lot of things over the course of the semester. There is a final exam. You’re going to have to prove that you’ve learned what we need to, but I believe all of you can do it. And here’s how we’re going to do it. We’re going to put some games in place. We’re going to have a leaderboard. We’re going to have all these fun things to make engagement feel like play, not like work.” I used to tell my friends, “I stopped working out years ago, but I play hockey four times a week.” The results are the same, but I’m playing and it hides the work effort that’s involved in the exercise. But if I have to go to the gym and work out and press iron up and down, oh my God, that’s like work. I just don’t want to do it.

So it’s all the psychology and the educational best practices in that multidisciplinary approach brought to phishing is to tell your staff, “Here’s an exercise. We’re going to walk you through an email from the sender. What do you look for in a sender? Well, hackers are really devious. They typosquat domain names. They’ll take an M in Microsoft or Amazon and turn it into an R and an N. And that is so important to learn because that’s called typosquatting. It’s a different domain name. Amazon and Microsoft don’t control those domain names. The hacker will have that domain name taken down on them in a week or two, but by that time they have compromised multiple companies and many, many individuals because it’s a subtle difference. And we want you to be aware of this.”

Then we move you through to another question. Does this subject have any kind of hallmark of an attack? It could have urgency. It could have an emotional appeal. These things are designed by hackers to get you to react. Someone cuts you off in traffic. If you react and throw your arm out the window, you’re not going to do something that is really appropriate because you’re reacting. But if you think, oh my goodness, maybe they’re going to the hospital down the street to deliver a baby. Well, then you’re fine. Let them go by. There’s all kinds of reasons for these behaviors and things happening in the world. And hackers know if you react to something and they get you to react with urgency, emotionality, a few other tricks, you’re more likely to click and make a mistake.

The subject line or the greeting is next. Now, the days 20 years ago, you’ll remember getting these mass-mailed phishing attacks that have generically addressed subject greetings. Dear Sir, valued customer, those sorts of things. It’s almost not existing anymore, especially in the day of AI where hackers have... There’s a FraudGPT out there. They point it at your social media account and it scrapes information about you and it says, “Oh, I know that Cole French really likes A, B, C, D, E, and F. So I’m going to send him five to 10 very specific spear phishing attacks that are designed to pique his curiosity and make him want to participate and maybe click the link to go visit the site because it’s specific in directly targeting you. And AI does that automatically.

Cole French:

And at scale, right? It can send it to hundreds of thousands of people in one fell swoop. So we’re talking about not just the ability to be more targeted, more real, all that type of stuff, but also we can hit a ton of people all at one time.

Craig Taylor:

Yes. Yes, like never before. Just a side note, I was reading about a new attack vector on mobile phones. It’s an Android attack and it co-opts AI to basically take a screenshot of the phone because every Android phone has a different version and placement of buttons and clicks and spaces and all these things. And basically the hackers wrote a piece of malware that takes a screenshot, feeds it to AI and says,” I’m an instructor. Help me figure out the coordinates of clicking on this and that so that I can really dial in my students to how this application works.” And in real time, the malware’s overlaying on the iPhone, or sorry, on the Android phone, click boxes and things and manually having someone install a malicious app based on co-opting an AI to give the coordinates of where clicks should be. And then if you give permission to install that Android app, which isn’t from the Play Store, it’s from an unlicensed store, you have just compromised your phone.

And your phone is no different than your computer today. It has your password manager, it has your multifactor, it has your data. So it’s a really interesting attack. We just blogged about it today at CyberHoot.com/blog. So if you’re interested, go read it there. But AI is becoming so powerful as an attack vector against all of us. To your point, Cole, you’re absolutely right. It used to take hackers days and weeks to adjust their Android phone attacks. Now it’s done automatically at scale. Phishing is no different. Yeah.

Cole French:

And just to go back to what you were talking about a little bit at the beginning and just to second that, and we did a series on cyber crime. And I think as security professionals, practitioners, at least as somebody who’s worked in operations in a past life, we got tired of phishing. We got a lot of messages from people. It’s just one of those things that you combat so regularly. And I think there’s a fatigue that comes along with it, but I do think it’s important to remind folks that it is really one of the most consequential attack vectors still. So we know that credential harvesting, things like that, unauthorized access is one of the biggest problems. And what’s one of the biggest ways that attackers get unauthorized access? Is through phishing and people giving credentials and there’s still very sophisticated attacks that are perpetrated via phishing attacks. So I think as tired as some of us are in the security world of phishing and we feel like, oh, we’ve moved on to other things. Really we haven’t.

It’s the same problem only to what you were alluding to as well. Now, I think we’ve always seen it as an email problem, but there’s other types of phishing as well that can occur via text messages, other-

Craig Taylor:

Smishing.

Cole French:

... messaging. Yeah. Phishing is all across the board, still a very, very prevalent problem and it’s becoming much more sophisticated. So to pivot, I guess, and I know you’ve talked a little bit about how we handle the phishing exercises and the follow-up with our users. So you talked through how we train our users a little bit. And if you want to go into more detail on that, feel free. But also, how would you say we should do these differently on the other side of these exercises, right? The psychology component.

Craig Taylor:

Right. Well, you mentioned something really important there. We’ve gotten tired and beaten down by phish testing our employees. And you’re quite right. If you do it with a shame and punishment approach where you measure the output of failed clicks where employees click on things and they fail, they get assigned videos. There was a study I can quote not too long ago, Dark Reading covered this. It was from the Black Hat Briefings in 2025. They said the biggest finding is that these standard out of the box industry trainings are not efficacious in preventing users from clicking on emails in the future. And that gets to the fact that fake email messaging doesn’t train anyone. It doesn’t provide education. It’s a measurement. It’s a final exam to go back to my first point. And that’s the only place it belongs in the IT toolbox is to measure what you’ve trained them and taught them in other ways.

So the simulation that we were talking through basically is not a fake message. It’s not a message to the inbox that measures whether Cole’s going to click on something or not. It’s an assignment and a simulation in the browser. And the user gets walked through all these different components. There’s about seven different things you can measure them on and teach people what to look out for. And once they finish that, what’s the outcome on the other side? How do you encourage engagement in an apathetic employee base? People are tired of getting these fake messages, and rightfully so, because just like in dog training, Cole, if you shock a dog every time it makes a mistake at the dog park and you’re trying to teach it something, it’s going to stop going to the dog park. It’s going to drag its feet and it’s going to say, “No, no, I don’t want to go.”

But if you change it to a treat or a reward basis where you give treats for a dog that’s motivated by treats... I once had a dog that didn’t care about food, it was so hard to train because you couldn’t... The positive reinforcement only worked so much, but a dog that loves food and treats will go to that dog park. He’ll bring you the leash. “Let’s go. Let’s go to the dog park.” Because you’re rewarding it with something that is very meaningful to that dog. Well, that’s what you have to do with your phishing simulation program by gamifying it, by creating leaderboards and streaks for how many times you completed your assignment on time and giving the employee certificates of completion that have a dual purpose. Here’s 15 minutes towards your ongoing CEC requirement, your continuing education credit requirement for your law program or your accounting or your whatever industry you’re in.

Most are recognizing cyber literacy training, cybersecurity training as valid continuing education credits, so you get a dual purpose. We went into one company where they were printing out these certificates on their cubicle walls as a competition with one another, and the culture there was amazing. So what I’m trying to get at is that if you reward with small rewards and you gamify the training that you deliver, you get past that apathy and people begin to realize, you know what? Hey, my IT team is not tricking me anymore. They’re empowering me. And what I learned today at work, I can apply to my personal inbox at home. And I’m not going to fall for that overpayment scam for something I sold on marketplace and refund $100 because I got paid 200 for my $100 item.

All these different security learnings that my IT team can bring to me creates engagement, creates value, puts the IT team back in the place it was always meant to be of empowering employees to do their jobs quickly, efficiently, confidently, instead of being the adversary who sends me a nasty email around Christmastime, “Here’s your Christmas bonus. The dress code is changing. Your benefits are now at this website. Click here to log in and confirm.” All these things are really dastardly in devious ways that hackers will hack us, but your IT team shouldn’t be sending that. They should be teaching you the hallmarks and the skillset of identifying when that happens so you’re empowered to know how to phish.

Cole French:

So then to the gamify thing that you talked about. So are you suggesting that you don’t do the... Well, so you said phishing simulation would be like the final exam. So you’re training folks in the interim period, I suppose. And you mentioned the gamifying and people getting rewarded as part of this process. So is this like they’re rewarded in these training exercises where they’re able to spot phishing or identify elements of phishing?

Craig Taylor:

Yes, exactly.

Cole French:

Or if you could just explain how that works.

Craig Taylor:

So in our company, we’ve built it so that you get points. When you complete a phishing a simulation where you correctly identify, yeah, that was a typosquatted domain name. And the subject had some urgency and the greeting was generic and the emotional, the language quality was suspect. And there was a strange attachment that had a .js (JavaScript) extension on it. When you learn how to spot these things and you create muscle memory in these 30 second exercises once a month, you get points. And those points go towards an avatar. That avatar grows in severity. You see one over my shoulder here. For those that can’t see, I have a wise owl sage level six over my shoulder. You get to that level after performing well on your assignments, both on time... In school, right? You got points deducted if you were late doing your assignments. We deduct points towards your avatar when you do it after the period of assignment window, two weeks, which is plenty of time to do a 30-second HootPhish phishing simulation or watch a video and answer a quiz.

We do all these things to gamify it and to give you points and to give you the certificates of completion. And by the way, one of the best modifications we’ve made to our platform in the last, say, year, two things we did. We added streaks and we added a leaderboard. The weirdest part of that leaderboard edition, it’s an anonymous one. We don’t show every employee where everyone else sits. We only show you your own score. So Cole, let’s say you’re a CEO of a company. You rarely see CEOs and CFOs and CTOs doing their phishing assignments and doing their videos because they’re so busy and they don’t think it applies to them. And they’re so smart, they just will never fall for it. But that’s what happens, right?

But the moment you show those three groups, those C-suites, that they’re at dead last on the leaderboard, that competitiveness kicks in and they start doing their assignments because they don’t want to be dead last. What if someone finds out, I’m the leader of this company. It puts it in perspective. So that was a really interesting side effect. Streaks are, if you do your assignment on time, you get a streak, and at some point you get a benefit for that streak. You get special notifications and value in your avatar that grows over time. The point of all this is if you make it play, people don’t mind doing it and they engage. Remember my analogy of playing hockey? I am very physically fit. I wouldn’t be if I had to work out all the time to get there. Okay?

So we’re trying to remove the, “Oh, I got to watch another 45-minute video.” Every one of our videos at our company are five minutes or less. Most of them are two minutes. Attention spans are getting shorter and shorter, Cole, because of the little serotonin device in our hands. It creates a lack of attention span. So the videos have to stay short, they have to be entertaining, and they have to be really very specific on a particular topic. So we do all those things to try and keep the attentions, to give you points in a game to get you to complete your assignments. And that whole... If you take a look at it, take a step back, the gestalt, that’s an old psychology term I learned many, many years ago, but the overall environment is one of empowerment and positivity, positive reinforcement of the good behaviors we want to see more of.

And that creates this infectious feeling like, “Oh, did you do your hoots?” It’s almost a verb now in some companies, “Do your hoots, get your hoots done.” And it makes it so that it’s no longer work, it’s play, but the results, the outcomes are amazing.

Cole French:

Yeah. Just to pull the thread on one of the things you mentioned is the C-suite, I guess, or upper management, upper leader, whatever you want to call it, there is, I think, sometimes this belief, false belief that, oh, I’m not going to be a target, I’m so busy, all that kind of stuff. But the reality is what we talked about earlier with AI and with just all of this information is out there. It’s not that hard to figure out who is in the C-suite at a particular organization, especially if you leverage AI tools, it’s not that difficult to figure out. And we know, our attackers know that that’s the high value asset, for lack of a better term, within an organization. If I can-

Craig Taylor:

100%.

Cole French:

Yeah. Because typically they either have access to all of the knowledge or even in some cases they have privileged access from an IT standpoint. So if I can compromise them, then I could potentially get keys to the kingdom, as we would say, just as an example. So I think there is a false belief that as I rise within an organization, some of the risk associated with a phishing attack becomes less, but actually the risk becomes greater and greater, I think, as you get higher and higher in the organization.

Craig Taylor:

Let me tell you a story. This is a real incident that happened last year that we were pulled into. We provide, at my company, CyberHoot, virtual CISO services as well, so a chief information security officer, and we get called in for incident response. And there was an incident where a CFO at a company had gotten a call from the CEO who was demanding a wire transfer. And the CEO is quite a demanding type. His personality was not one to mince words. Just matter of fact, “I need it done now.” And he would use a few expletives and things like that if anyone questioned it. Well, turns out the CEO had their email compromised and the attacker got to know the personality and the way the CEO talked to the CFO. So the phone call came in to the CFO and demanded this wire transfer for this project that everyone knew about and that the vendor was expecting payment on, and the CFO just didn’t question it because it was the CEO.

It sounded like the CEO. Yeah, maybe he was a little more curt than usual, but that wire transfer went to a bank account who knows where and the money was never returned. And it wasn’t a small amount. It was in the hundreds of thousands of dollars and it was AI deepfake. This has happened, you can read about it in the news, you can Google it, you can ask AI, “Does this happen?” And today, 2026 will be the year of deep fakes happening. So we train in our videos and we train in our... Yeah, just in our videos, we talk about creating safe words. Any financial transaction, just ask for the safe word or you say, “Sure, John,” who’s the CEO of a company, “I’ll call you right back and I’ll confirm it at your known number.” One of those two things has to happen because wire transfers and wire fraud are going to grow exponentially this year as the power and the cost of these AI deep fakes improves and the frequency of these attacks occurs.

So if you take anything away from today’s call, just have a financial safe word, both personally with your family members and professionally at work so that anyone in a position of responsibility for financials knows nothing gets done over a phone call ever again, unless you call back, unless you have that safe word knowledge. This is happening. We were part of an investigation and that money was never returned. It was just gone.

Cole French:

So do you guys train?

Craig Taylor:

We have a video on that that basically says, “Listen, AI deep fakes occur. You’re going to get phone calls that say they’re from person X, but it’s person Y, hacker Y. And the only true way you can trust things these days is to call back on a known good number, not the one in the email, not the one on the phone call or not, don’t trust the person on the phone call or establish a safe word.” And we have videos on that. We have a video on all manner of financial crimes. So overpayment scams I mentioned already, not ransom, but romance scams, charity scams. You name it, hackers are coming up with novel ways to bilk you out of your money every single day, but it’s always based on social engineering.

You think you’re seeing X, but it’s really Y. And you need to develop this skepticism that says, “Nothing that happens online should be trusted because my connection to the internet is a connection to anyone, anywhere in the world. And there’s a lot of folks trying to steal our money, make our money.” You wouldn’t leave your front door open or unlocked at night or when you go on vacation. So you can’t do that on your online persona either.

Cole French:

I think an important thing you mentioned too with that is it isn’t just... I think a lot of times the tendency is to view phishing as something from the outside in, but one of the things that commonly occurs is it is the outside in, but it’s the outside looking like the inside to someone else on the inside. The CEO to CFO example you just mentioned, and I’ve been involved in incidents of a similar nature where people inside the organization received a message from someone else inside the organization that they knew, were familiar with, with a request that seemed reasonable based on what that person did and their role within the organization, and they fulfilled that request without asking any questions or doing any sort of verification or anything like that because hey, it’s John from... I know this would not be unreasonable for him to ask for something like this. Even though if you really broke it down and you went piece by piece with it, you could see that there’s maybe things that seemed a little bit off, but at the highest level, it seemed reasonable enough.

Craig Taylor:

Right. But again, if you boil it back to that simulated phishing exercise and the very first question is, “Is the sending domain correct?” You would see that that internal request from the CEO was off by one letter. It looked like it was your own domain, but there was an S on the end of the domain name, or there was a period in the wrong spot. Everything begins with inspecting that email request. Now, modern IT teams put on an external banner warning. This came from outside the organization. So why would my CEO be sending something from outside the organization? Doesn’t make sense. There is even more sophisticated things on some spam filters like C-suite impersonation protection, where if you get an email from Cole French at our company and that’s your CEO or anybody in a position of authority, it says, “Well, wait a minute, there’s another warning that gets popped up. This could be an impersonation attempt because Cole French is your CEO, but this came from outside, so it’s even more striking.”

Now, those are technical protections. They’re great. I don’t say you shouldn’t use them, but if you teach people to look at the domain name and do it carefully, it can become muscle memory. It can be a single rep on a pushup machine that you just have so much experience doing this, you look at the sender, oh, wrong, delete, done, move on. 10 seconds or less. And it doesn’t have to even be stressful anymore because you have the confidence that you know how to fish.

Cole French:

So that gets me to a question that’s been baking in my mind as we’ve been talking about this. So yeah, we want to teach people how to fish, but how do we measure whether people know how to fish? So you’ve talked about the gamify and all that. So that’s more like, I’m doing my tasks that are required and all of that kind of stuff, but how do we measure?

Craig Taylor:

Well, that’s where that attack phish does make sense. If you go through a semester of, I don’t know, let’s say genetics training at a university, you don’t get to finish the semester course without having a final exam to measure what you learned. So it does make sense to run an attack phish on a once a year, six month basis. Let me repeat that for any IT team that’s out there because they love to show how great they are at reducing click rates. The day they get involved in phishing, “We’re going to launch phishing.” And they get a 10, 20, 30% click rate because they devised a really devious phishing thing, but no one’s received training yet. So it’s basically, here’s our baseline. Well, that’s like asking your students in a new genetics class to take the final exam on day one. And if anyone has improvement by the final exam, look at how great a teacher I was.

We created this huge gap between what they started at and what they finished at, but the negative implication and the dysfunction that happens from testing on day one is just too, too great. It doesn’t work. So do a positive rewards gamification, positive reinforcement approach all semester long to ensure that everyone pays attention. Everyone participates. They climb the leaderboards. They get their assignments done. They become muscle memory. We call ours a HootPhish and it takes 10 seconds once you get clear and clarity on how phishing works. You just go click, click, click, click, click, click, done, submit 100%. I got my points, I get my leaderboard skills improving, and it becomes muscle memory. Then six months down the road, a year down the road, you run that fake email message. It shouldn’t be hard for most of your staff to pass that, even the devious ones because, well, there’s two things wrong with attack phishing today, Cole.

No, there’s 10 things wrong with attack phishing, but one of them is that you cannot impersonate the domain of the vendor you’re impersonating. In other words, I cannot do RNicrosoft.com in a phishing email from Microsoft about a password reset or enabling your MFA or what have you. It has to be accountresetsrus.com in that sending domain. That’s nowhere near what hackers do. So the dumbing down of the domain name is one of the biggest problems I have with AttackPhish. It’s not hard to identify these things when you’re being tested at a university level and then they send you a high school test on phishing, but you can’t do it other ways because one spam report and Microsoft lawyers contact CyberHoot and say, “You have to cease and desist pretending to be Microsoft because someone reported you a spam and we have to stop.” IRS has done it, Facebook has done it against our fake email phishing because we try to get just too close.

We try to straddle that line where Facebookresetsrus.com or whatever you... So the tests themselves are really bogus. And you know what the other dirty little secret is? If you never want to fall victim to a fake email phishing test again, there’s an X-header for every vendor on the market to get them through to your inbox that you can figure out by inspecting the first phishing email you look at and you say, “Oh, what’s the special X-header that gets it through?” Sort on that, filter on that, delete on that, and you never get another test failure. There’s even get-out-of-jail-free ways to set things up. I shouldn’t tell-

Cole French:

Those are all great points that you mentioned about the limitations. Yeah, I mean, the simulations, I think they’re a tool in the toolbox, I guess you could say. And I think the way in which you deploy them is important as to their usefulness, but I would agree with you completely that building the culture. And I thought the example that you mentioned going back to the CEO or the C-level folks in your organization, if they see, “Ooh, I’m down at the bottom of the leaderboard.” There’s some of that competitive thing that brings them to the top, but that’s like building culture and culture does... You want culture to start at the top. So you do need to find a way, especially with stuff like phishing where like we’ve talked about, I think there is, as you grow higher in an organization, those are things that get pushed to the side because you’re busy with a million other things, but you want your leaders to be part of setting that culture and setting that tone within your organization.

So I think to your point, yeah, what you guys are doing is a great way to get everybody up on the same level. And then it sounds like really the simulations are just a confirmation, if you will. And I’m curious, what are the rates that you see for the phishing exercises? People who go through what you guys are putting together on a regular basis, what are the click rates? What do they look like and what are they versus the industry norm?

Craig Taylor:

Yeah. Well, some of the statistics that we’ve tracked, we had one company measure this very carefully and their participation rate from the assignment-based videos, because that’s really a measurement you can track pretty easily, went from 25% to 90% within the company because of the gamification and the rewards that we gave, the certificates of completion, that sort of thing. So that’s one measurement. The reporting, here’s another way you can measure success is when people successfully report to IT a fake or a phishing email not sent by IT. In the browser, you can set up buttons that people report phish, report phish. And if they successfully report that, even for the ones that you didn’t send, then you have a measurement there of a tactical metric that you can report to leadership. “Hey, our report phishing rates, even though our technology is pretty good, we get a few through once in a while and they get reported.” And that’s a good thing. And the successful reports versus the, “I don’t know what this is. Is this a phish? Tell me what to do.” Those shouldn’t count.

On click rates, it’s really hard to get a measurement for us because we don’t manage the end user customers. It’s all done through MSPs and resellers and that sort of thing. But I have seen rates as low as one or 2% after all this training and testing goes by, but there’s nothing empirical. We have anecdotal evidence out the wazoo. We have three universities, fortunately, doing empirical research on our HootPhish exercises right now. One is on the gamification effects. The other is two universities cooperating to measure the affect and the effect of our gamified phishing simulation called HootPhish. We don’t have any results yet. We’re just going through clinical... It’s not clinical trials, but it’s like that because they’re going to get empirical research, but we want to put some empirical evidence behind this gamified approach.

And we know from psychology research and from educational best practices that it’s got to be better than the shame and punishment. If you think about incarcerated adults, there’s a big argument that’s very well supported that punishment for crimes isn’t a deterrent. All it is is making society better by taking people off the streets when they commit some criminal behavior, but it never plays into whether that behavior occurs or not. And what we also know on the flip side, if you’ve got a bunch of incarcerated adults and you teach them good behaviors, life skills, workforce engagement skills, their recidivism goes way down when they’re released. If you don’t do that, you just punish them, put them away for a few years, let them back out on the streets, they recidivize. What’s that tell you about cybersecurity? Punishment and shame doesn’t deter and teaching good behaviors and rewarding those can help for long-term behavior change, internalization. So that’s really all we’re doing.

Cole French:

So you mentioned the affect versus effect. So could you just explain the differences between those two as it relates to the gamification that you mentioned?

Craig Taylor:

It’s very important. And it’s a fancy way of saying, “How do people feel doing these exercises that don’t punish and don’t shame you, they actually encourage you and teach you how to fish?” And the affect is that people engage more. The apathy disappears. The culture becomes more of a, “Hey, did you hoop today? Did you do your thing today, your assignments? And what’s your leaderboard ranking?” And we actually have friends now who can compete with your teammates if you say, “Hey, let’s see our leaderboard rank and I’ll open myself up to you and you to me and we’ll compete together, make it a little bit more gamified and fun.” And so the engagement levels go way up, right? And then the outcomes is the effect. Can they identify that once a year or twice a year fake email message that we send? Are they reporting the few errant phishing emails that get through to IT who confirm it and let you know, “Great job, Cole. That was one that snuck by us, but you caught it. Well done.”

CyberHoot just introduced the report phish button where if it’s one that we sent and you report it with the button in the browser, it comes to us first. We say, “Oh, is this one of our own that we sent testing you?” And we give you more points, more benefit on your avatar and your ranking and all of that before sending it on to your IT team in case it’s not one of ours and they need to take action on it because it got through their filters. So every single possible way we can think of to create that positive affect so that people feel like it’s not work, it’s play is the affect. It gets better engagement, better learning, more, better... If you skip right to the end, it’s better outcomes, which is the effect. But along the way, the affect matters just as much as the effect, right?

Because so long we’ve said, “It doesn’t matter how people feel when we send fake emails, as long as they don’t click.” Not realizing it disengages them and they don’t really learn. I had a PhD person tell me, “I don’t look at any emails that I’m questioning. I forward it just to IT because I’ve been burned one too many times. They send these really devious things and I can’t be bothered with it because they’ve never taught me how to do this.” So they abdicated responsibility to send it everything all to IT. That is the worst possible outcome you can imagine because it’s not teaching them and that there’s no IT team for your home personal inbox.

Cole French:

That’s what I was just about to say is, I guess that can work in a work context, but security doesn’t stop at work. It just changes its context in every other aspect of your life.

Craig Taylor:

Yeah. And when you have a whole body of employees that don’t know how to fish, the ones that are, and this is most people, if they don’t know how to fish, they sweat for minutes at a time, individual emails. “My God, this doesn’t feel right. There’s something wrong with it, but I don’t know what it is and I don’t want to make a mistake. I don’t want to click, but I have to help this person because they’re really in a panic and they really need my help, but [inaudible 00:44:15]. Something feels wrong, I don’t know what to do.” And they sit there for three and four and five minutes. How inefficient versus, “Oh, my training said, ‘Go look at the sender.’ Oh, look at that. There’s an O for a zero or a zero for an O. Oh, delete. Okay, move on. No stress, no anxiety, on with my day. Next email.” When you get two or 300 emails a day, that can add up.

Cole French:

It does add up. Just looking at the time, just to pause here. Is there anything else you wanted to cover? Otherwise, I’ll wrap us up. I got a thing I’ll use to wrap up the conversation, but I did want to give you the opportunity if there’s anything else we didn’t cover that you wanted to cover.

Craig Taylor:

Well, if this is the appropriate time, I’ll say if you want to learn more about my company and how we try to make it fun and educational and non-punitive, email sales@CyberHoot.com or visit our website, CyberHoot.com, book a demo. We give every company a free 30-day trial. And if you sign up with the podcast name, Cyber Compliance & Beyond as the referral code, you’ll get 20% off your fees for the first year as a benefit to hearing it here with Cole French.

Cole French:

Well, Craig, I really appreciate that. And just to circle all this up, I guess, is I think we talk a lot on this podcast about how cybersecurity is first and foremost a people thing. We like to think of it as a technology thing and we love all the shiny tools and we love all the... We’ve even talked about some of those technical protections that you can put in place. Those are all good things, you should do them. But the bottom line is that they’re only as good as the people using them and informing them. And I think we’ve talked a lot about that here today, learning about phishing, not just conceptually, but how to actually look at these emails, break them down, see what the components are, and take the emotion out of it, so to speak, but also build the culture through gamification and just looking at it through a different lens, taking a different approach.

And I think it’s important to really highlight and to remind folks as we do often hear that cybersecurity is first and foremost a people problem. And phishing is just another example of how we need to build this culture of security within our organizations and how we do it is really important.

Craig Taylor:

Yes. You summarized perfectly, Cole. That’s exactly right. Focus on the outcomes. And if you use a multidisciplinary approach by looking at psychology, education, heck, even the legal and criminal system, you learn a lot about what works at changing behaviors in the long run. And if you apply that to cybersecurity, maybe, just maybe we can change the focus and the course correct cybersecurity as a whole away from punishment and shame and over towards good behavior reinforcement because it works in parenting. I didn’t even get into that one, but it works in parenting, dog training, incarcerated adults. Everywhere else you look, they’ve learned that lesson. Cybersecurity is a little bit behind. It’s an emerging field. It needs to come out of the dark ages and into the 21st century.

Cole French:

Well, Craig, again, I appreciate you coming on. Appreciate you sharing your perspective on this important topic. And it was great chatting with you this afternoon.

Craig Taylor:

Cole, it was my absolute pleasure. Thank you.

Cole French:

Thank you for joining us on the Cyber Compliance & Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter at Kratos Defense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode and until then, keep building security into the fabric of what you do.