Forcing employees to take security training after they fail a phishing test actually makes them more likely to get hacked later.
March 19, 2026
Original Paper
Research Note-Breaking Bad Email Habits: Bounding the Impact of Simulated Phishing Campaigns
SSRN · 6343920
The Takeaway
We usually assume that 'teachable moments' help people learn from their mistakes. However, in a consequence-free environment, this training can actually 'embolden' employees, making them feel overconfident and more willing to gamble on suspicious emails because they've been desensitized to the risk.
From the abstract
Simulated phishing campaigns are among the most widely deployed tools for reducing organizational cyber risk. Yet the behavioral data these campaigns produce have an underappreciated structural feature and a resulting complication: because training is triggered by clicking, the very employees who receive intervention are those Teachable-moment design features also matter: emotion or heuristic framing and explicit reporting pitch can largely eliminate persistence, while annotated-email cues modes