In a recent The Wall Street Journal article titled “Phishing Tests, the Bane of Work Life, Are Getting Meaner,” writer Robert McMillan explores a common critique of security awareness training: traditional SAT methods may do more harm than good. He argues they foster an adversarial relationship between employees and IT departments, and mentions that studies show these programs aren’t effective. But do these claims reflect the whole picture?
The reality is that the efficacy of security training is much more nuanced. It’s absolutely true that some SAT programs are a complete waste of time. It’s also true that some organizations treat training as a check-boxing exercise, or, even worse, punishment. This creates a culture in which employees aren’t engaged or simply ignore it.
But the opposite is also true. If done well, and approached with a growth mindset, security awareness training can be a powerfully transformational force in creating a culture of security and galvanizing the workforce to defend the organization from cyberattacks.
Let’s explore how some SAT programs fall short, and how a different approach can prove that an impactful SAT isn't just possible, but necessary.
The criticisms against SAT often stem from programs that rely on outdated, traditional practices like long-form annual training and phishing tests that aim to trick rather than educate. Let's break down some common criticisms:
While these criticisms are valid for some implementations, they ignore the second half of the equation—what happens when SAT is done right?
To understand the ineffectiveness of many SAT programs, we need to analyze their potential pitfalls:
So we’ve discussed how traditional SAT programs can fall short. But how can you build a security awareness training program that goes beyond basic checklists and turns adversarial phishing tests into learning opportunities? How can you build a positive security awareness culture that actually improves your security posture? Here’s where you can start:
Annual training is outdated. Employees face cybersecurity risks constantly, so education should occur frequently. Short, digestible training sessions done regularly (think monthly) help employees learn without feeling overwhelmed. A 10-minute monthly session has enough substance to facilitate true learning, gives people enough material to create organic conversations among coworkers, and fits easier into their schedules. It also allows for a wide range of topics to be covered while they’re most relevant. Repetition over time reinforces knowledge and boosts retention.
Effective SAT mirrors the sophisticated nature of real-world threats. For example, phishing simulations should use believable and relevant attacks that mimic the threats currently making their way to employee inboxes. This realism gives employees hands-on experience with emerging tradecraft, so they’re ready for the real thing.
Gone are the days of boring slide decks or low-budget, poorly acted videos that go in one ear and out the other. Instead, story-based learning makes complex topics more approachable, engaging employees with characters and scenarios that resonate. An SAT program that gives learners a more concrete mental image of their adversary (like a character from the stories) instead of referring to the vague or abstract “threat actors” is far more effective at holding their attention and transcending the lesson to influence behaviors in the real world.
Training content should be substantive enough to impart real learning while short enough to respect employees’ time. Practical lessons like recognizing deceptive subject lines, verifying sender identities, and spotting fake links, all paired with threats most prevalent today, should take priority.
One-size-fits-all remedies don’t work when it comes to SAT. Employees who engage with phishing simulations should receive constructive, personalized follow-up to review the specific tactics used in the attack, and prompt them to consider their reason for clicking. This creates an immediate learning opportunity that instills confidence instead of shame.
Frequent simulated phishing campaigns can be beneficial in many ways when done right. First, it keeps learners on their toes. When they know they could receive a phishing email at any moment—whether it’s a simulation or the real thing—they’ll be more likely to check twice before clicking on a link. Second, it exposes them to the emerging tradecraft that hackers might target them with. Third, it helps admins understand their risk levels, which learners may pose more risk, and where you can up-level learners to lower your risk. The focus needs to be on educating users, not “gotcha” tests. And that’s where fostering a positive security culture comes in.
Empower employees to take pride in the critical role they play in cybersecurity. Celebrate reported phishing attempts and reward employees for alerting suspicious action through activities like gamification, underlining the positive impact of their vigilance, and coaching those who may be struggling. Encourage an open dialogue about security awareness in the office (or Slack for the remote folks). Ensure everyone is up to speed and aligned with your security awareness policies and best practices. When employees feel part of a team working toward shared security goals, they’re more likely to engage.
With Huntress Managed Security Awareness Training, you’ll get an SAT solution that’s purpose-built to engage your learners and prepare them for today's threats. Put simply, it can drive real security outcomes for your organization.
It’s easy to dismiss SAT as ineffective when it’s improperly implemented, like those mentioned in the WSJ article. And it’s because of those old, ineffective programs that SAT has gotten such a bad reputation.
But such a blanket dismissal ignores the potential of well-crafted, modernized SAT programs. By adapting training to reflect real scenarios, providing ongoing learning opportunities, and encouraging employees to be active participants, SAT programs can, and do, make a business more secure.
Want to create meaningful change for your organization? Start your free trial of Managed SAT today.
Reference:
McMillan, Robert. “Phishing Tests, the Bane of Work Life, Are Getting Meaner.” WSJ, Feb. 7, 2025.
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.