Is the carrot more effective than the stick for long-term phishing resilience? Jatin Mannepalli, CISSP, CSSP looks at whether positive reinforcement can promote openness, faster reporting and cultural buy-in, rather than risking a culture of silence, disengagement and undiscovered breaches due to concern over negative fallout.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
Reports indicate that phishing accounts for 34% of all breaches, while the average cost of phishing-related breaches is $5.01 million – among the highest across breach types – together ensuring phishing remains a top and enduring cybersecurity threat. For that reason alone, it is not a question of if phishing simulations should be done, rather it’s how to do them - and how to respond effectively to mistakes.
Educational theorist Alfie Kohn has argued that punitive measures may result in short-term compliance but do little to build intrinsic motivation or understanding. My experience echoes that: real change happens when people feel safe to ask questions, admit mistakes, and learn. Just how much better does encouragement work, and how do you put that into practice? Well, let’s find out.
A Case Against Negative Reaction
It might be humiliation or perhaps the fear factor itself, but the punitive approach discourages employees from reporting real threats. Timely reporting is essential but, when people worry about being blamed, they stay silent. One organization I supported – a technology services firm – had a reporting rate of around 20%, while click rates exceeded 18%. After introducing personalized feedback, gamified learning and public recognition, reporting rates surpassed 63% in under six months, while click rates dropped to below 8%.
In another early program I worked on, we noticed that employees were hesitant to report suspected phishing emails, even when they weren't sure about them. Through informal feedback and internal pulse surveys, it became clear that fear of being blamed or seen as careless was a major deterrent. That hesitation delayed our incident response and occasionally let real threats slip through. This pattern shifted significantly once we emphasized that reporting even false alarms was valued more than silence.
Positive Reinforcement Works
Later, I led awareness and behavior change initiatives as part of the broader security operations team. That meant I wasn’t just running simulations, but also working with communications, HR and department heads to shape how security was talked about across the organization.
Early on, my team realized that sending out simulation emails and tracking click rates was only a small part of the challenge. What really mattered was how we responded to failure and how employees felt about engaging with the program. We changed our tone rather than the content. We replaced punitive reactions with recognition, which led to stronger engagement and faster response.
I’ve since moved away from measuring only click rates and focused more on positive behaviors reporting, questioning and learning. Monthly simulations paired with short, meaningful training have become the foundation. In a single quarter, our reporting rate jumped from 22% to over 60%, simply because we made feedback more relevant and recognition more consistent.
Another small but effective tactic is offering shoutouts during team company gatherings and gift cards to randomly selected reporters each month/quarter. The receipt of recognition becomes a point of pride for many and helps normalize reporting as a positive contribution rather than a reactive necessity. In one program, after introducing small recognition rewards and a culture of encouragement, reporting rates rose nearly 40% in just a few months.
When someone repeatedly struggles, direct conversations help uncover whether someone is overwhelmed, unclear on expectations, or simply hasn’t had enough support.
Encouragement, Not Punishment
Not everything I’ve tried has worked and sometimes I’ve learned that the hard way. For instance, I rolled out a templated training module to all departments after a widespread simulation failure. It was a clean, professional e-learning course complying with best practices.
Engagement was low and the feedback we received was blunt: “It didn’t reflect what we actually see in our inboxes.” Looking back, I understand why: the examples were too generic and the tone felt more like a lecture than support. It taught me that effectiveness in training comes from context, not polish.
I’ve also seen leaderboard systems implemented in various ways; on the assumption it would create friendly competition. However, they had the opposite effect: employees who ended up on the bottom of the board consistently felt embarrassed, reducing their engagement and openness. It became clear that public rankings in a security context can be demoralizing unless designed with extreme care. Today, I would avoid public scoreboards altogether in favor of private performance feedback or opt-in challenges that don’t single anyone out. Gamification works best when it's inclusive and supportive, not when it highlights shortcomings.
Disciplinary actions and negative reinforcement backfire. They suppress reporting and breed fear. Instead, thoughtful, empathetic reinforcement leads to trust, which is the foundation of a strong security culture.
Leadership’s Role and Practical Steps for Success
None of this works without leadership modeling the behavior we all want to see across the organization. When managers treat phishing incidents as teachable moments, it signals to the rest of the team that it’s OK to fail, as long as we learn and improve.
In one case of which I was part, a manager who clicked on a simulation shared their experience during a team meeting, sparking a discussion about how phishing emails can slip past even vigilant eyes. That moment had a noticeable ripple effect. Others on the team started opening up about their own near-misses and became more proactive in reporting suspicious emails. When managers treat phishing incidents as teachable moments, it signals to the rest of the team that it’s okay to fail, providing we learn and improve.
Final Thoughts
Cybersecurity is already tough. The last thing we need is to make people on our own team feel like the enemy. A positive, supportive approach builds a culture where people feel empowered, not penalized.
My approach hasn’t just helped the organizations I’ve worked with become more resilient to phishing attacks, it has also made my work more fulfilling. There’s something incredibly rewarding about seeing cultural transformation happen from the inside out. That’s when real resilience begins.
Jatin Mannepalli, CISSP, CCSP, has over 10 years of experience in cybersecurity and risk management across IT, finance, management consulting and high-frequency trading sectors. He has held security engineering, architecture, management and consulting roles, with responsibility for designing secure systems, mitigating risks and aligning cybersecurity strategies with business goals.
Related Insights