Stop Pointing Fingers: Let the Phishing Threat Drive Learning in Your Organization

How leaders can make sure phishing tests strengthen security culture rather than weaken it with shaming and finger-pointing. Effective phishing training is about creating reflection, not fear.

Stop Pointing Fingers: Let the Phishing Threat Drive Learning in Your Organization

Imagine an employee falling for a convincing phishing email. One click – and suddenly hackers may have a way into your organization.

What do you do now?

Do you point fingers and maybe issue an official warning, or do you use the incident as a learning opportunity?
Many organizations now run phishing simulations to train employees to spot fake emails. But approaches vary: in some places it ends up as a “gotcha” exercise, where slip-ups trigger shame and punishment, while elsewhere it becomes a safe space where people grow wiser together.

Phishing: people are the biggest security gap

Verizon's annual Data Breach Investigations Report (DBIR) documents that 82% of all security breaches involve the human factor – often in the form of social engineering attacks like phishing. In fact, phishing is the most widespread technique when hackers target people directly. In other words: for attackers, it's often easier to trick an employee into opening the door than to break it down with technical means.

The consequence is that employees across the entire organization – from reception to leadership – must be equipped to recognize and resist these attacks. Regulators and standards bodies have caught on too. The EU's NIS2 directive, for example, requires all employees in essential organizations to be continuously trained in cybersecurity and to know good practices. Phishing training is therefore not just “nice to have”, but a necessary tool in the toolbox of modern security leadership.

Shaming backfires

When employees click a fake email in a test, it can be tempting to let frustration run free. Unfortunately, we see examples of organizations that handle it by shaming or punishing those who fall for it. One study found that 42% of organizations have issued disciplinary warnings to employees after security incidents – and anecdotes abound about “creative” punishments. In one case, a manager even sent an email to the entire company naming the employee who had fallen for a phishing email, as a cautionary example.

The problem with shaming and punishment is that no one learns from being humiliated. Research suggests that a blame culture can hit the organization like a boomerang: employees who feel they've been made scapegoats become defensive and lose trust. Fear of repercussions can, in the worst case, lead people to hide or fail to report security incidents – exactly the opposite of what we want.

A security culture around phishing – not fear

Fortunately, employees respond far more positively when leadership chooses learning over scolding or finger-pointing. In Karen Renaud's study, employees described how understanding from their boss after a security mistake made them eager to make it right and avoid repeats. No one was singled out; instead, they were helped to mitigate the consequences and learn from the mistake.

The result was a stronger relationship between employer and employee – and a person motivated to do better going forward. This approach – some call it a “no-blame culture” – is worth its weight in gold for security. When people dare to admit mistakes and share near-misses, you as leadership get the information you need to respond quickly to threats. The culture becomes defined by openness and continuous improvement.

But it spreads like ripples in water. It doesn't only create better IT security – it also strengthens the general culture in the organization. A safe, trust-based approach to learning means people dare to raise their hands, ask questions and speak up when something feels wrong – in every area. And it means people back each other up rather than point fingers. When an employee dares to admit a mistake – and is met with curiosity instead of shame – it becomes easier for others to do the same. That kind of culture pays off in the long run. Not just for security, but for well-being, collaboration and a sense of responsibility.

How to use phishing tests as a learning tool

Phishing simulations can be an effective weapon against cyber threats – if used correctly. Here are four concrete recommendations for turning them into a learning opportunity instead of a punishment:

1. Make it realistic – and unannounced. Phishing attacks come unannounced, and so should the training. Test different types of attacks and don't oversimplify them.

2. Give quick, constructive feedback. When an employee clicks, they should get help – not a scolding. That can be a friendly explanation or a short learning video.

3. Recognize the right behaviour. Reward those who spot and report attempts. Run small contests, use badges or simply give recognition – it works.

4. Leadership leads the way. Make it clear that the purpose is learning, and let leaders also take part and share their own mistakes. It creates safety and trust.

Phishing simulations should be seen as a learning space, not an exam. That's why it works best when you run them as a fixed part of your organization and something everyone is expected to take part in continuously.

References:

  • ENISA – European Union Agency for Cybersecurity (2023)
  • Verizon (2022). Data Breach Investigations Report
  • Karen Renaud, Wall Street Journal
  • CREST (2021)
  • NIST Special Publication 800-53 (Rev. 5, 2022)
  • Nordic Cyber Group (2023)
awareness training phishing training human firewall behavioural training it security cybersecurity gdpr nis2 isae3402
← Back to blog

Ready to see Mindzeed in action?

Book a 30-minute demo or get a non-binding quote.