"If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers...but phishing your own users isn't your only option.
Try being more creative; some companies have had a lot of success with training that gets the participants to craft their own phishing email, giving them a much richer view of the influence techniques used. Others are experimenting with gamification, making a friendly competition between peers, rather than an 'us vs them' situation with security."
1. There's an option to hide the names of the employees. It would replace all the names with random animal name + a color. It's great if you don't want to know which employees are falling for attacks.
2. I love the idea to actually make the employees create their own attacks, but seems a bit hard to do and pretty much time consuming for a company.
Its not the actual individuals - its the culture it creates, "HA! We caught you, you dumbass, here's 2hrs of training". This means people are afraid to report or take ownership over looking out for phishing as it creates no benefit for them, its just there to make the security team smug.
Having been part of and designed these campaigns before (with open source options like https://getgophish.com/), there is no way to report as phishing or reward users who detected but therefore didn't interact with it. This means in your example - did the other 81% just not open it, ignored it, or actively thought it was phishing? These are key metrics a company needs to know their potential attack surface.
>How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?
I've had this happen to me, not for phishing, but for the kensington lock thing. Probably not that common any more, at least not in the west, but some workplaces have aggressive laptop locking policies. Workplace tried this stunt of confiscating laptops that were not locked, and everyone had to meet some manager type person. It was completely asinine. This is a typical badge access controlled workplace with additional security personnel. The laptop locks were a total overkill.
How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?
There is some interesting research from the UK Government in this space - https://www.ncsc.gov.uk/blog-post/trouble-phishing#section_3
The relevant bit:
"If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers...but phishing your own users isn't your only option.
Try being more creative; some companies have had a lot of success with training that gets the participants to craft their own phishing email, giving them a much richer view of the influence techniques used. Others are experimenting with gamification, making a friendly competition between peers, rather than an 'us vs them' situation with security."