78% of Your Employees Know the Risks. Most Will Still Click.

The Story of the Helpful Employee

Meet Kevin. He worked at a small insurance company. Kevin had completed his annual security awareness training three weeks earlier. He scored 94% on the quiz. He could define phishing, identify red flags, and explain why you should never share credentials.

One Wednesday morning, Kevin got a phone call:

“Hi Kevin, this is Mike from IT. We’re dealing with a critical security issue and need to verify your account right away. Can you confirm your password when I tell you?”

Kevin helped. The voice sounded urgent. The caller knew his name and department. So Kevin typed in his password.

Within 30 minutes, criminals had:

• Stolen $65,000 from customer accounts
• Downloaded 1,200 customer social security numbers
• Sent fake emails to other employees
• Planted malware across the network

Kevin knew better. He could have passed any quiz about this exact scenario. But in the moment, his behavior didn’t match his knowledge.

This is the fundamental problem with security training: it produces knowledge, not behavior change.

The Knowledge-Behavior Gap: Why Knowing Isn’t Doing

What Behavioral Science Tells Us

Social engineering doesn’t exploit ignorance. It exploits deeply wired cognitive patterns. Criminals aren’t trying to fool people who don’t know about phishing. They’re triggering automatic responses that bypass conscious knowledge.

Here’s what’s really happening when someone “falls for” a social engineering attack:

The Authority Override

The prefrontal cortex (rational decision-making) gets overridden by the amygdala (threat/authority response).

Criminal trigger: “This is your bank manager. I need you to verify your account information right now.”

Why training doesn’t prevent it: Knowing about the authority trick is intellectual. The automatic compliance response is emotional. Under pressure, the emotional system wins.

The Urgency Hijack

Artificial time pressure activates the fight-or-flight response, which narrows attention and reduces critical thinking.

Criminal trigger: “Your account will be closed in 10 minutes unless you act NOW!”

Why training doesn’t prevent it: Quiz question about urgency - easy. Actual urgent-sounding call at 4:55 PM on a Friday - completely different cognitive context.

The Social Proof Trap

People follow perceived group behavior, even when it contradicts their individual judgment.

Criminal trigger: “Everyone on your team has already updated their information.”

Why training doesn’t prevent it: In a classroom, people say “I’d never fall for that.” In real life, the desire to not be the odd one out is powerful.

The Reciprocity Exploit

Receiving something (even something worthless) creates a subconscious obligation to reciprocate.

Criminal trigger: “Thanks for being a loyal customer! Here’s a free gift. Just verify your details…”

Why training doesn’t prevent it: The reciprocity instinct is automatic. Training addresses it intellectually, but the instinct operates below conscious awareness.

The Data That Should Alarm You

• 78% of employees can correctly identify phishing in a training exercise
• 56% of those same employees click real phishing emails in the following 90 days
• The gap widens for sophisticated attacks that use personalization and urgency
• Annual training reduces click rates by 2-4% on average. Continuous behavioral nudging reduces them by 40-60%.

Why Traditional “Training” Makes Things Worse

The False Confidence Problem

When employees complete security training and score well on a quiz, something counterintuitive happens: they become more susceptible to sophisticated attacks. Psychologists call this the Dunning-Kruger effect applied to security.

“I passed the training. I know what phishing looks like. That email must be real because I would have caught it if it weren’t.”

This overconfidence is more dangerous than ignorance. At least ignorant employees might hesitate. Overconfident ones act quickly.

The Forgetting Curve Problem

Hermann Ebbinghaus demonstrated that people forget:

• 50% of new information within 1 hour
• 70% within 24 hours
• 90% within 1 week

Your annual training session? By the time an employee encounters a real social engineering attempt weeks or months later, the specific red flags and response procedures have long faded from active memory.

Quarterly training helps, but still produces significant knowledge decay between sessions. The forgetting curve doesn’t care about your training schedule.

The Context Problem

Training teaches people to spot social engineering in a training context. But social engineering happens in a work context. These are fundamentally different:

Training Context	Work Context
Calm, focused	Busy, distracted
Expecting to find red flags	Dealing with a real-seeming request
No time pressure	Deadline pressure, multitasking
Controlled environment	Someone who seems to know you

Behavioral science calls this the “transfer problem.” Skills learned in one context don’t automatically transfer to another. The further the training context is from the real context, the less effective the training becomes.

What Actually Changes Behavior

Principle 1: Observe Real Behavior, Not Quiz Performance

Stop measuring whether people can identify phishing in a controlled environment. Start measuring what they actually do:

• Use SaaS audit tools to observe real email-handling behaviors
• Track which employees forward suspicious emails versus clicking them
• Monitor credential-sharing in chat tools
• Identify behavioral patterns that correlate with social engineering susceptibility

When you see the real behavior, you can target interventions at the actual problem, not the imagined one.

Principle 2: Deliver Nudges at the Point of Behavior

A nudge delivered in the moment of decision is worth a hundred training slides viewed months earlier.

Examples:

• When an employee is about to share credentials in Slack: a real-time reminder about your company’s credential-sharing policy
• When someone receives an email requesting a payment change: a contextual prompt asking them to verify through a second channel
• When a finance team member processes an unusual invoice: a gentle nudge referencing your PSSI’s invoice verification procedure

These nudges work because they’re:

• Contextual: Delivered at the moment the behavior happens
• Specific: Reference your actual security policy, not generic advice
• Brief: 5-10 seconds, not a 30-minute module
• Actionable: Tell people exactly what to do, not just what not to do

Principle 3: Use Spaced Repetition to Build Muscle Memory

The forgetting curve is a problem if you train once. It’s a tool if you train continuously.

Spaced repetition means delivering small, targeted quizzes and reminders at scientifically-timed intervals:

• First reinforcement: 1 day after initial exposure
• Second reinforcement: 3 days later
• Third reinforcement: 1 week later
• Fourth reinforcement: 2 weeks later
• Ongoing: Monthly maintenance

This schedule, delivered through Slack or Teams as 30-second micro-quizzes, produces retention rates of 80-90% compared to 10-20% from annual training.

Over time, the correct response to social engineering triggers becomes automatic - not something the employee has to consciously recall.

Principle 4: Anchor Everything to Your PSSI

Generic social engineering training teaches generic responses. But your organization has specific policies, specific tools, and specific procedures.

When nudges and quizzes are generated from your actual security policy:

• The guidance is immediately actionable (“Our policy requires payment changes to be verified by phone at the number in our supplier database”)
• Employees learn the real procedures, not hypothetical best practices
• Compliance is built into behavior, not bolted on as an afterthought
• Auditors can see the direct connection between policy and practice

Real-World Scenarios: Behavior Correction in Action

The CEO Fraud Pattern

The attack: An employee gets an email from “the CEO” asking for an urgent wire transfer.

What training teaches: “Verify unusual requests from leadership.”

What behavioral nudging does:

1. SaaS audit detects the incoming email pattern (external sender spoofing internal domain)
2. Before the employee acts, a Slack nudge appears: “Your PSSI (Section 4.2) requires that all payment requests above $1,000 be verified by phone call to the requester’s known number. Here’s the verification checklist.”
3. One week later, a 30-second micro-quiz in Teams: “Your CEO emails asking for an emergency wire transfer while traveling. What’s your first step?” with answer options anchored to your actual policy
4. Three weeks later, another micro-quiz with a different CEO fraud variation

The employee doesn’t just “know” what to do. The correct response has been reinforced until it’s automatic.

The Supplier Impersonation Pattern

The attack: Criminals send a fake “account update” email from a supplier before a regular payment.

What training teaches: “Be careful with supplier communications.”

What behavioral nudging does:

1. SaaS audit detects that someone in accounts payable opened a supplier email with an account change request
2. A contextual nudge appears in their workflow: “Account change requests require verification through the contact number in our vendor database (PSSI Section 7.1). Do not use contact information from the email itself.”
3. Spaced quizzes reinforce the verification procedure over the following weeks
4. Finance team behavioral metrics show whether verification compliance improves

The IT Support Impersonation Pattern

The attack: Someone calls pretending to be IT support and asks for credentials.

What training teaches: “IT will never ask for your password.”

What behavioral nudging does:

1. Regular micro-quizzes simulate the scenario in Slack: “Someone calls claiming to be IT support and says they need your password to fix a critical issue. What do you do?”
2. The correct answer references your PSSI’s specific procedure for IT support verification
3. Spaced repetition ensures this response is reinforced before it’s needed, not just taught once
4. SaaS audit monitors for credential-sharing in chat tools as a proxy measure

Building a Behavior-First Defense

Step 1: Map Your Social Engineering Attack Surface

Not every team faces the same risks:

• Finance: Targeted by payment fraud, invoice manipulation, supplier impersonation
• HR: Targeted by employee data theft, payroll redirect scams
• IT/Admin: Targeted by credential theft, system access social engineering
• Leadership: Targeted by executive impersonation, board communication fraud
• Everyone: Targeted by general phishing, credential harvesting, pretexting

Map these risk profiles to your PSSI sections and prioritize nudges accordingly.

Step 2: Deploy Behavioral Observation

Connect SaaS audit tools to observe:

• Email-handling patterns across teams
• Credential-sharing behavior in collaboration tools
• Response to external requests for sensitive information
• Shadow IT adoption that creates new attack surfaces

Step 3: Launch Continuous Nudging

Start with the highest-risk behaviors for each team:

• Finance: Invoice verification nudges
• HR: Data handling nudges
• IT: Credential management nudges
• Everyone: Phishing response nudges

Deliver through Slack and Teams. Reference your PSSI. Keep each intervention under 30 seconds.

Step 4: Measure Behavior, Not Knowledge

Track:

• Click rates on simulated phishing (but as one metric among many)
• Real-world suspicious email reporting rates
• Time-to-report for genuine incidents
• Credential-sharing incidents detected by SaaS audit
• Verification compliance for payment and data requests

These behavioral metrics tell you whether your program is working. Quiz scores don’t.

The Emergency Response: “I Think I Was Tricked”

Even with the best behavioral program, social engineering will sometimes succeed. When it does:

Immediately (First 5 Minutes):

1. Stop the interaction. Don’t provide any more information.
2. Report it. Contact your security team or manager immediately.
3. Change credentials for any accounts that may have been compromised.
4. Document exactly what happened while it’s fresh.

Within the Hour:

5. Deploy a targeted nudge to the affected team about the specific attack vector
6. Check SaaS audit data for similar patterns across other employees
7. Assess potential damage and begin containment

Within the Week:

8. Create a micro-quiz based on the real incident (anonymized)
9. Deploy it to the entire organization through Slack/Teams
10. Schedule spaced-repetition follow-ups
11. Update your PSSI if the scenario wasn’t adequately covered

The key shift: the incident becomes a behavioral learning event, not just a technical incident to contain.

The Bottom Line

Social engineering works because criminals exploit automatic behavioral responses, not ignorance.

Your employees are not stupid. Most of them can pass any quiz you give them. The problem isn’t what they know. It’s what they do in the moment when cognitive shortcuts take over.

Fixing this requires a fundamental shift:

1. Stop relying on annual training to change behavior. It doesn’t work. The forgetting curve guarantees it.
2. Start observing real behavior through SaaS audits. See what people actually do, not what they say they’d do.
3. Deliver nudges at the point of decision - in Slack and Teams, when the behavior matters most.
4. Use spaced repetition to build automatic responses that persist over time.
5. Anchor everything to your PSSI so guidance is specific, actionable, and auditable.

The goal isn’t employees who can define social engineering. It’s employees whose automatic response to social engineering triggers is the correct one. That’s behavior change. That’s what actually protects your organization.

Sources

• Verizon 2024 DBIR - https://www.verizon.com/business/resources/reports/dbir/
• JISEM - Decision Fatigue and Cybersecurity - https://jisem-journal.com/index.php/journal/article/download/12613/5861/21211
• RAND - Beyond Technicality - https://www.rand.org/content/dam/rand/pubs/research_reports/RRA3800/RRA3841-1/RAND_RRA3841-1.pdf
• UChicago - Gaps in cybersecurity training - https://cs.uchicago.edu/news/new-study-reveals-gaps-in-common-types-of-cybersecurity-training/

---

Ready to close the gap between what your team knows and what they do? Contact EnGarde and let us help you build behavioral defenses that work when it matters, not just during training.