Security Awareness Training: Dealing with Repeat Clickers

Security professionals constantly face tradeoffs in allocating the precious few resources they have. A case in point: 70% of recent survey respondents believe that employee behaviors such as clicking on malicious links are putting their company at risk. With such a wide attack surface, though, how can you realistically address the problem?

That’s where the Pareto Principle (aka 80/20 rule) comes in. Most of the risk of human error is created by a small percentage of employees. Recognizing this could help maximize the return on investment (ROI) of your security budget by focusing your security awareness training campaigns on those who need the most help.

Ask yourself: When you look at data from your simulated phishing campaigns, do you notice that some employees seem to repeatedly fail more of the training exercises than others? Do other employees consistently perform much better — identifying and reporting more of the bogus emails in training campaigns?

Analyzing Repeat Clickers for Email Security

In a recent analysis of 6,000 employees receiving simulated phishing emails, my colleagues and I found that about 6% of users were responsible for approximately 29% of the failures.[1] A failure in this case was defined as either clicking a link, downloading an attachment, or responding to the sender.

This group of users, known as “repeat clickers,” failed four or more training campaigns over an 18-month period. On average, these users fell for a phishing attempt roughly once out of every two attempts. This means that from an attacker’s perspective, targeting three repeat clickers would virtually guarantee success.

Happily, we also discovered the repeat clicker’s organizational doppelganger, the “protective steward.” These users identified and reported four or more phishing emails used in training, were more prevalent (33% of all users) and reported 92% of the total training phishing emails.

Dealing with Repeat Clickers

Dealing with repeat clickers is difficult and is rarely solved with a one-size-fits-all solution. According to the 80/20 principle, this small subset of users is going to require effort but should also create a disproportionate improvement to your overall email security posture.

Some organizations have a zero-tolerance policy that severely sanctions employees, shaming or terminating them if they fail more than a few campaigns. Other organizations take a more lenient security approach and allow these employees to continue to fail campaigns. Regardless of your organization’s approach, it is important to understand how repeat clickers handle emails.

The Habits of Email Clickers

Previous research found that both repeat clickers and “never clickers” dealt with their emails automatically through established habits, and neither group remembered the emails they opened or sent to trash.[2] Interviews that I have personally conducted with repeat clickers are consistent with these previous findings, in that repeat clickers do not recall seeing the training phishing emails.[3]

By delving deeper into habits like these, you can help convert repeat clickers instead of simply getting rid of them. Most users handle the email in their inbox by relying on “habit loops.” Habit loops consist of a trigger, a routine and feedback on whether the action led to a satisfactory outcome. Because repeat clickers likewise rely on habit, security teams need to evaluate these users’ habit loops to diagnose the point of failure.

Are repeat clickers failing to notice phishing cues? This indicates a failure of the trigger component. Are they failing to take appropriate action? This indicates a failure of their email handling routine. Are they failing to understand the significance or consequences of their actions? This is indicative of a feedback failure. Meeting individually with the worst offenders to learn where their habit loops are failing can be extremely helpful.

Reinforcing Triggers with Feedback

Users need to receive immediate feedback on their actions to create an association between cues and actions. Most phishing training platforms provide a landing page that explains to the user that this was a simulated phishing exercise and then shows the user which cues they should have noticed to detect that the email was a phish.

Sending difficult phishing emails to your users can be beneficial, but you may need to give repeat clickers “training wheels” by reducing the difficulty of emails until their performance improves. Then gradually increase the difficulty to match their improvement. It is critical for these users to receive immediate feedback when they fall for a training phish so that they learn to identify cues in suspicious messages. This feedback should include the message that was sent with highlighted cues that they could have used to detect the phish.

Instilling Routines with Practice

Generally speaking, one approach to training automatic responses in habit loops is to routinely practice action sequences. For example, a martial artist may practice a particular kick thousands of times to perfect it. The optimal phishing training frequency for your users will differ for every individual. However, repeat clickers will likely benefit from more frequent exposure to simulated phishing emails as a form of training.

Learn from Your Users

Some of my greatest insight into how and why people fall prey to phishing campaigns has come from speaking directly with users. If the approaches described above fall short, try scheduling one-on-one meetings with problem users as soon as possible after email failures.

This approach is time- and resource-intensive, but it can also be enlightening. I have personally learned some very interesting things from interviewing users. One example is the employee who preferred to forward “sketchy” emails from their personal email account to their work account because, they said, “the security at work is better than at home.”

The Bottom Line

Focusing on training employees who need it most should improve your email security ROI. Even a small improvement in a repeat clicker’s performance could disproportionately improve the overall security posture of your organization. While the techniques described in this article all focus on reducing the downside presented by repeat clickers, remember that it may also be possible to increase your upside by cultivating their doppelganger, the protective steward.

[1] “Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards,” SAGE Journals

[2] “Going Spear Phishing: Exploring Embedded Training and Awareness,” IEEE Security & Privacy

[3] “Characteristics of Repeat Clickers and Protective Stewards” (manuscript in preparation), Figueroa, A., Hawkins, S. & Canham, M.