Understanding the user experience
The study involved semi-structured interviews with seven employees from two companies utilising Junglemap's cybersecurity training. Analysis was conducted using Bloom’s taxonomy, assessing knowledge levels from basic recall to higher-order thinking.
All participants demonstrated foundational knowledge. They could recall, comprehend, and apply what they learned. Some even reflected deeply on the content, suggesting improvements and adaptations.
Key takeaways from both companies
1. Workplace stress impacts application, not training itself
Employees didn't find the training stressful; however, everyday work pressures sometimes hindered the application of learned principles.
2. Foundational training benefits all
While some felt the training was basic, they recognised its value in establishing a common knowledge base, ensuring inclusivity across varying technical proficiencies.
3. Interactive elements enhance engagement
Interactive components like quizzes were more engaging than passive simulations. There was also interest in gamified elements, even if not initially anticipated.
4. Training influences behavior
Participants reported increased vigilance with emails, double-checking senders, scanning language and logos, and being more context-aware.
Additional insights
Beyond these findings, the study highlighted areas for organisations to focus on to support the impact of phishing simulations and create a robust security culture:
- Positive reinforcement matters: While users receive feedback upon clicking malicious links, they often lack acknowledgment for correctly identifying threats. Recognising correct actions can boost confidence and reinforce learning.
- Personal relevance enhances motivation: Training that employees can apply in their personal lives increases engagement and underscores the real-world value of cybersecurity practices.
- Clear reporting channels are essential: Some employees were uncertain about how to report suspicious emails, indicating a need for clearer communication and streamlined reporting processes.
Conclusion
Effective phishing training must be tailored to both individuals and organisational contexts. Users appreciate accessible, practical, and interactive content, complemented by constructive feedback and clear guidance. As one participant noted: “Better to get caught in a simulation than to compromise the entire company in real life.”