Click on malware, Raise your hand

I see a ton of security awareness training. I give a ton of training. We teach that bad things happen when you click on links. “Here are examples of things you shouldn’t click on… So make sure not to click on them!”

And then people do.

We spend too much time thinking that hackers are these elite gurus of computer security that devise these spectacular hacks to get people to give them information. In fact, I would suggest they are more like world-class marketers who understand how to entice people to click on links.

If we accept that hackers are more like marketers, we start to understand that the odds of employees clicking on these links increases day-by-day. I’m sure a very good marketing hacker utilized CyberMonday to promote an incredible deal on ransomwear.

We scare employees into thinking they’ve failed when they click on a bad link.

And yet the one thing we really want them to do is tell us when they messed up.

Let’s end every security awareness training emphasizing that if you make a mistake — if you get caught in a marketing trap — you will be rewarded for raising your hand. It’s much better than quickly closing your browser, turning off your computer, and pretending it never happened.