We are all familiar with the phishing exercises employed by internal cybersecurity teams to increase our awareness of schemes used by threat actors to gain illicit access to our computer networks. These exercises mimic the real thing - file transfer links, invoices to be reviewed, or my favorite, a complaint filed against me with the Better Business Association of NY (no such entity, and, thankfully, no such complaint existed). The planned outcome of these fake phishing attempts is to drive down the chances of us falling for these types of schemes in real life. However, a recent piece in the Wall Street Journal sets out a novel approach that may be more effective - Cybersecurity Storytelling.
Enlisting our colleagues to share their stories of near misses, or unfortunately, of successful attempts to induce them to click on evil links, is an effective way to teach security. Listening to cybersecurity professionals lecture about how you should know better might not work as well as having a colleague walk through being lured by a threat actor or talk about the bad email that made her think twice. A study cited in the article notes that putting real names and real faces on phishing attempts led to 75 percent of the study participants reporting having learned an important cybersecurity lesson. Is storytelling going to replace technical cybersecurity training methods such as phishing tests? Probably not, but combining such techniques with real-life accounts from co-workers appears to have a lot of potential for teaching our colleagues cybersecurity.