Per Lagerström
Article   May 07 2025

Phishing training in practice: insights from the user perspective

At a recent breakfast seminar at Junglemap, computer science students Henrik Enell and Robin Lekander from Linköping University shared findings from their bachelor's thesis - a qualitative study exploring how employees in small and medium-sized enterprises perceive phishing training. Their research sheds light on how cybersecurity education resonates with users and offers guidance on improving its effectiveness.

Productivity
NanoLearning
Phishing
Learning breakfast

Henrik Enell and Robin Lekander

Understanding the user experience 

The study involved semi-structured interviews with seven employees from two companies utilising Junglemap's cybersecurity training. Analysis was conducted using Bloom’s taxonomy, assessing knowledge levels from basic recall to higher-order thinking.
All participants demonstrated foundational knowledge. They could recall, comprehend, and apply what they learned. Some even reflected deeply on the content, suggesting improvements and adaptations.

 

Key takeaways from both companies 

1. Workplace stress impacts application, not training itself
Employees didn't find the training stressful; however, everyday work pressures sometimes hindered the application of learned principles.

2. Foundational training benefits all
While some felt the training was basic, they recognised its value in establishing a common knowledge base, ensuring inclusivity across varying technical proficiencies.

3. Interactive elements enhance engagement
Interactive components like quizzes were more engaging than passive simulations. There was also interest in gamified elements, even if not initially anticipated.

4. Training influences behavior
Participants reported increased vigilance with emails, double-checking senders, scanning language and logos, and being more context-aware.

 

Additional insights

Beyond these findings, the study highlighted areas for organisations to focus on to support the impact of phishing simulations and create a robust security culture:

- Positive reinforcement matters: While users receive feedback upon clicking malicious links, they often lack acknowledgment for correctly identifying threats. Recognising correct actions can boost confidence and reinforce learning.

- Personal relevance enhances motivation: Training that employees can apply in their personal lives increases engagement and underscores the real-world value of cybersecurity practices.

- Clear reporting channels are essential: Some employees were uncertain about how to report suspicious emails, indicating a need for clearer communication and streamlined reporting processes.

Conclusion 

Effective phishing training must be tailored to both individuals and organisational contexts. Users appreciate accessible, practical, and interactive content, complemented by constructive feedback and clear guidance. As one participant noted: “Better to get caught in a simulation than to compromise the entire company in real life.”

Per Lagerström
Article   May 07 2025