I see a ton of security awareness training. I give a ton of training. We teach that bad things happen when you click on links. “Here are examples of things you shouldn’t click on… So make sure not to click on them!”
And then people do.
If we accept that hackers are more like marketers, we start to understand that the odds of employees clicking on these links increases day-by-day. I’m sure a very good marketing hacker utilized CyberMonday to promote an incredible deal on ransomwear.
We scare employees into thinking they’ve failed when they click on a bad link.
And yet the one thing we really want them to do is tell us when they messed up.
Let’s end every security awareness training emphasizing that if you make a mistake — if you get caught in a marketing trap — you will be rewarded for raising your hand. It’s much better than quickly closing your browser, turning off your computer, and pretending it never happened.