Why this module exists. Awareness training is the single most-funded, least-effective security investment in most Indian enterprises. The right structure — frequent, targeted, feedback-driven — produces measurable behaviour change. The wrong structure — annual hour-long video — produces compliance-checkbox theatre. This module is how to build the right one.
What does not work
- Annual one-hour online module with a quiz at the end.
- Generic global content not customised to the org’s actual threats.
- “Click rate” as the headline metric — it measures avoidance, not capability.
- Shaming individuals for clicks. The pattern that worked best for compliance theatre is the worst for actual security culture.
- Forcing all employees through identical content regardless of role.
What works — the four-component programme
- Frequent, low-friction touchpoints. Monthly 5-minute simulations are more effective than annual hour-long modules. Brain learns better from spaced repetition.
- Role-targeted content. Finance gets BEC scenarios; engineers get supply-chain / repo-compromise scenarios; executives get whaling / spear-phishing scenarios; everyone gets the basics. Generic content for specific roles is theatre.
- Real-time feedback when someone reports a phish. The SOC responds within an hour: “yes that was a real phish, thank you, we’ve blocked it for everyone.” The dopamine hit reinforces the reporting behaviour.
- Metrics that matter. Track time-to-first-report, percentage of phishing emails reported (versus clicked), and phishing-resistant MFA enrolment rate. Click rate is downstream.
The simulation programme — operational pattern
| Cadence | Detail |
|---|---|
| Every 4-6 weeks | Simulation campaign — different template each time |
| Same day | “Just-in-time” coaching for clickers — 2-min explanation of what they missed |
| Monthly | Aggregate metrics report to function leaders |
| Quarterly | Repeat-clicker review with manager + HR; coaching pathway |
| Annual | All-hands programme review; budget cycle alignment |
Template variety — what to throw at people
Real-attack-mimicking templates work better than fictional scenarios. Pull patterns from:
- Your own DMARC failure reports — they tell you what brands attackers are spoofing against your domain.
- Industry-specific scams — fintech sees a lot of “RBI compliance update” templates; healthtech sees “MoH directive” templates.
- Topical events — election results, Budget announcements, IPL season. Attackers use these; simulations should too.
The repeat-clicker pathway
~5-10% of any workforce repeatedly clicks simulation phish. The progression that works:
- First click in 90 days — just-in-time coaching.
- Second click in 90 days — short 1:1 with security awareness lead.
- Third click — manager loop-in. Discussion of whether the role is high-risk (e.g., heavy email user) and what extra controls might help.
- Continued high click rate — additional technical controls applied to the user: more aggressive email filtering, mandatory phishing-resistant MFA, possibly restricted email-from-external allowlist.
The point is escalation through controls, not punishment. The user who keeps clicking is not malicious; they need more support. Some users do not improve at any rate; the answer there is technology, not blame.
Metrics that move the security posture
| Metric | Target |
|---|---|
| Time to first report of a real phish (from delivery) | <15 minutes |
| Percentage of delivered phish that get reported | >30% |
| Repeat-clicker rate (>2 clicks in 90 days) | <3% of workforce |
| Phishing-resistant MFA adoption | Privileged users 100%, all users 80% by year 2 |
Click rate is downstream of these. A workforce that reports phish fast, with low repeat-clicker rate and broad phishing-resistant MFA, has a low click-driven incident rate as a consequence.
The “report phish” button — the leverage point
One-click reporting integrated into the email client. Outlook PhishAlert button, Gmail “Report phishing” link. The friction reduction matters: 30 seconds becomes 1 second; the report rate doubles.
Operational: the button must route to a SOC mailbox that responds. A button that goes into a black hole undoes the trust within weeks.
Cultural overlay
- Leadership reports phish publicly. The CEO forwarding a phish to the SOC on Slack with “spotted this, reported” is worth 10 training videos.
- Recognition for the first reporter of each real phish — small public thank-you, not financial reward.
- Quarterly “phish of the quarter” — share the most creative phish that landed, what made it convincing, what the report-rate was. The shared experience builds collective competence.
Indian-enterprise specifics
- Language coverage. Simulations in Hindi and the major regional languages spoken in the workforce. Generic English content misses material risk in mixed-language teams.
- Festival timing. Attackers target Diwali, Holi, financial year-end with themed phishing. Match the simulation cadence.
- WhatsApp pretext. Awareness training has to extend beyond email — train recognition of WhatsApp impersonation.
Key takeaways
- Annual training does not move behaviour; monthly targeted simulations do.
- Role-targeted content beats generic content — finance gets BEC, engineers get supply-chain, executives get whaling.
- Real-time SOC feedback to phish reporters is the dopamine that builds the habit.
- Metrics: time-to-first-report, report rate, repeat-clicker rate, phishing-resistant MFA adoption.
- Repeat clickers get escalating support, not punishment; ultimate answer is technology, not blame.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.