For most people, phishing scams are not high on the list of potential sources of comedy, although there are plenty of examples of blundering scammers and inept cybercriminals who got their due.
When it comes to phishing awareness training for organizations, however, humor can be a powerful tool for maintaining compliance. Considering the alarming number of employees who admit to falling for phishing scams even after training, plenty of organizations are ready to change their security training approach.
Humor is an effective motivator in the workplace. It is persuasive, promotes listening, and reduces stress – the exact opposite of your average enterprise-level infosec training session. Incorporating humor can boost employee engagement and achieve security results the way statistics-based scare tactics never will.
IT managers who use humor during cybersecurity training can break through to their users. Applying the right dose of comedy will help break through the mindset of boredom and stress that often accompanies long, drawn-out, jargon-heavy cybersecurity sessions.
How to Make Phishing Prevention Training Funny
The first question you might ask is whether phishing protection can be funny at all. When it comes to the professional scams run by dangerous and sophisticated cybercriminals, you might think not. But is there any comedy gold hiding in the inane ramblings of Nigerian princes and phony tax fraud agents?
The answer is an emphatic and resounding yes.
For proof, look no further than the work of comedian James Veitch, whose popular TED Talk details his conversations with multiple email scammers.
Email phishing scams are something that almost everyone who has ever used a computer is familiar with. The level of realism that the scammers are able to convincingly portray is directly related to how dangerous (and serious) or harmless (and funny) the attempt is.
There are a few ways that Veitch’s material can inspire IT managers to improve employee engagement when talking about phishing prevention. Try incorporating the following tactics into your training repertoire:
1. Start Phishing Simulation Training
One of the most popular ways organizations raise phishing awareness and improve cybersecurity is by running simulated phishing attacks. These simulations are effective and have been shown to yield up to 37 percent returns on investment for organizations that perform them.
Simulations are one of the best places to insert humor into infosec training. It’s not uncommon to feel embarrassed after falling for a phishing simulation. Humor reduces the gravity of that realization and helps employees come to terms with the idea that it can happen to anyone.
Using humor that draws on collective experiences and office in-jokes can help defuse embarrassment. Encourage employees to invent creative characters, make unreasonable demands, and get silly with phishing simulation texts. The seriousness of the exercise will carry over into their day-to-day work.
2. Encourage Participation and Friendly Competition
Phishing simulations should not only be run by the IT security team and delivered to employees throughout the organization. This creates an atmosphere of paranoia that can get in the way of day-to-day productivity.
Instead, employees should participate in phishing simulations. You must implement limits on just how much time and energy employees can spend crafting devious emails for this purpose, but if done right, you’ll have an endless supply of phishing examples that get better and better over time.
Instead of making your coworkers feel like their IT manager is targeting them, invite them to try to trick you. By setting yourself up as the fall guy, you ease any potential negative reactions that would result from setting someone else up.
3. Characterize Your Hackers
One of the scariest things about cybercrime is the level of anonymity that cybercriminals enjoy.
An intelligent professional hacker can effectively remain invisible while doing damage that costs organizations millions of dollars.
It is natural to feel intimidated by an unknown individual who wields that kind of power from an unknown place, by unknown means.
Humor is an effective way to turn frightening situations into manageable ones. In fact, most psychologists believe that humor developed as a coping mechanism to counter fear, insecurity, and uncertainty in our early human ancestors.
When James Veitch characterizes his would-be hacker as bumbling and inept, he is taking something serious (the risk of losing control over his digital life) and turning it into an object of humor.
You can do the same thing at your office. Just make sure you don’t focus on cartoonish representations of incompetent hackers – remember that the real cybercriminals you are protecting your employees against are intelligent, resourceful, and dangerous.
But that doesn’t mean you can’t have fun with them. Consider creating highly detailed, slightly absurd hacker personas similar to the buyer personas that marketers base their decisions on. The practical upshot of this approach is that you can distinguish between different types of cybercriminals and develop various strategies for mitigating their attacks based on these characterizations.
Don’t Be a Scary Compliance Professional
Many people find cybercriminals scary, but they don’t think about them every day, so the effect is not very pronounced. Compliance professionals and IT managers are scary for a whole different set of reasons – the main one being that employees have to deal with them every day.
You don’t have to be a Marx Brother to inject a little bit of lighthearted humor into a subject as dry and data-centric as cybersecurity. All it takes is a willingness to laugh at yourself from time to time and to use that laughter to build emotional connections with the people you are training.
The best thing that an IT manager entrusted with infosec training duties can do is lighten up just enough to avoid intimidating employees. Instead of being a scary compliance professional, be the one who isn’t afraid to laugh – and who employees aren’t afraid to laugh with either. The results will speak for themselves.