Uncovering the Root Causes of Phishing Susceptibility

Ideally you will organize a 1:1 talks with the users, but if that is not an option, then this workshop can be good.

A 45-minute workshop/1:1 conversation focused on understanding the root causes of phishing susceptibility among employees who have repeatedly clicked on or submitted data on phishing training.

It’s important to analyze psychological and environmental factors in employee performance and engagement. By adapting their insights, we can focus on creating a safe, interactive environment that uncovers why users miss phishing signs rather than just what they miss. This will build empathy, understanding, and better targeted support.

Workshop Agenda: "Uncovering the Root Causes of Phishing Susceptibility"

Objective: Equip admins with insights into the underlying reasons employees struggle with detecting phishing, empowering them to create more effective training and support systems.

Workshop Outline

1. Introduction (5 minutes)

Objective: Set the tone, define phishing and its risks, and emphasize a nonjudgmental space.

Activity:

• Briefly introduce phishing statistics relevant to the organization and that they are here because they have clicked or submitted data more than once on phishing training activities.
  • State the objective: "We're here to understand what makes phishing challenging to recognize, not to judge anyone's performance."
  • Discussion: Ask participants what their initial thoughts are about phishing awareness in the organization.
• Ask users to review them for 1-2 minutes and identify potential red flags.
• Discussion: Facilitate a discussion on:
  • What elements were misleading or convincing?
  • How did they decide if something was suspicious?
• Break attendees into small groups, giving each group a set of potential "root causes" (see list below).
• Ask each group to discuss and rank them in terms of what they think affects their organization most.

2. Interactive Phishing Scenario (10 minutes)

Objective: Explore firsthand why users often struggle to detect phishing.

Activity: Present two to three sample phishing training emails (e.g., use the ones that the participants have clicked or submitted data on).

Outcome: This reveals cognitive patterns and biases that make phishing difficult to detect.

3. Root Cause Analysis: Discussion and Reflection (10 minutes)

Objective: Delve into the why behind the difficulty, exploring factors like stress, time pressure, and familiarity.

Activity:

Potential Root Causes to Consider:

1. Time pressure or stress: Rushing through tasks can lead to oversight. When users are stressed, they are more likely to fall for phishing due to reduced focus. Some users may be overconfident, thinking they’re unlikely to be phished.
2. Motivation or culture: They know that it’s just training: Some users may not take the training seriously anymore and thus disrupt the results by clicking or submitting data for “fun”.
3. Skill or awareness: Some users may not know what phishing actually looks like, even if they’ve been through training. People are more trusting of emails that seem to come from known contacts or systems.

Discussion: Each group briefly shares their top-ranking causes and why they believe these are the biggest factors.

4. Root Cause Solutions Brainstorm (5 minutes)

Objective: Identify actionable steps for addressing root causes within training programs.

Activity:

• Participants brainstorm one or two solutions per root cause identified in Section 3. For their root causes encourage them to think of what it would take for them to make this change. Encourage simple, actionable ideas that focus on addressing user pain points.
• Now ask participants to think of what it would take to create this change e.g. “I don’t take this seriously and if I should do so I would need to be told so by my manager. Therefore, I need my manager to tell me to spend time doing this.”