SecTor 2025 | Why Phish if it Doesn’t Work? A No BS Take on Why We Need to Phish

Who would have thought that in 2025, we would still need to advocate for the importance of phishing simulations, but here we are. No matter how sophisticated our technical controls are, emails are still swimming past our filters and landing in employee inboxes. If they are our first or even last line of defense, how do we expect them to help us spot threats when they’ve never encountered them in the real world?

In a 2024 paper released by tech giants, some argue that phishing simulations are useless fire drills that do little to change behavior. Here’s the kicker: Research proves that when people aren’t educated on mindfulness and encounter a tricky situation, they’re going to respond in risky ways.

The technology fallacy that you can fix the tech, not the people, isn’t true. Emotional intelligence is our greatest strength as humans. Technical defenses are essential but not foolproof. Harnessing the human factor by educating them through emotional experience will improve your ability to identify and respond to real threats landing in their inboxes.

This talk will share insights from collaborative research with the University of Montreal over the past two years, looking at cybersecurity awareness and phishing simulation data from hundreds of organizations and hundreds of thousands of people around the world. Attendees will explore dimensions of the interaction between humans and cybersecurity. The presentation will connect the data to insights from neuroscience, biology, psychology, and behavioural economics, showing what we have learned and the next questions we should all be looking to answer.

By: David Shipley | CEO, Field CISO, Beauceron Security

https://blackhat.com/sector/2025/briefings/schedule/#why-phish-if-it-doesnt-work-a-no-bs-take-on-why-we-need-to-phish-47657Black HatRead More