West Point works really hard to get cadets to critically think and to do so in very stressful situations. I would argue that West Point does it better than anyone in the world. Yet the history of West Point is replete with examples of where the pressures of academy-seminary of cadet life resulted in the march of the lemmings. Phishing is one such example.
As academy leaders, we observed with some satisfaction cadets grow in their ability to critically think in the classroom and in the field. We observed, with absolute dismay, their inability to critically think when clicking on email messages and sharing their personal and financial information.
We tried a mandatory one-hour lecture and impressively prepared PowerPoint slides to educate and inspire the cadets to critically think before they clicked and that predictively failed. We tried cadet led small group discussions. That failed. To our horror, the march of the lemmings continued unabated.
Finally, in a partnership between my office and the Department of Electrical Engineering and Computer Science, we built the servers to automate and record the results of active phishing training. At the time, it was a novel approach and we published the first academic paper on the approach after a couple of years of collecting data. The three principal players were Colonel Ron Dodge, Aaron Ferguson, and I. Aaron Ferguson, an NSA Fellow, had the idea and convinced Ron to build the servers and me to convince the rest of the academy to try the approach. We matured the approach over time and did a couple of things right.
When you test a system, tell no one and especially do not tell senior leadership. Everyone should react as if it is real and when it is real, they will be trained to respond effectively.
One of the things we did right is we did not tell Academy leadership when the training email message would be sent or its contents. They knew it would occur sometime during the semester but no other details. Everyone was trained.
We built the right notification system. If a cadet failed the phishing training, they would be notified in person by another cadet in their company. This lowered the pressure put on cadets and increased the embarrassment factor. Peer pressure does work sometimes better than organizational pressure.
We built the right rewards system. Believe it or not, we started an IT SAMI program once a semester where the cadet computers were inspected in a rigorous white glove inspection. The cadets could not get demerits from the inspection but the best company in each regiment got a streamer (dubiously valued by the cadets) and a company-wide pizza party (intensely valued and fought for). A little bit of stick and a lot of carrot in the rewards system changed behavior because they really wanted that pizza party.
If Aaron, Ron and I had been wiser, we would have patented the approach and retired twenty years ago as active phishing training became and continues to be very popular in companies and incredibly lucrative for those who provide it.
If you are progressing through this journey sequentially, the next chapter is Unintended Consequences.