Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
The cyber incident that is too “isolated” to accentuate to mass media...
Sparsa AI Launches Sovereign Enterprise AI Platform with Global Deploy...
Conifers AI Opens Singapore Data Region, Bringing Local Data Residency...
Finally taken down: Residential proxy network of at least 2m smart dev...
DXC Opens Flagship AI-first Customer Experience Center in Bengaluru
LOGIN REGISTER
CybersecAsia
  • Features
    • Featured

      S E Asia governments targeted by cyber-espionage group

      S E Asia governments targeted by cyber-espionage group

      Tuesday, June 23, 2026, 8:00 AM Asia/Singapore | Features
    • Featured

      Rethinking network and infrastructure design for resilience

      Rethinking network and infrastructure design for resilience

      Thursday, June 18, 2026, 2:17 PM Asia/Singapore | Features
    • Featured

      Bringing cybercriminals to justice in APAC

      Bringing cybercriminals to justice in APAC

      Thursday, June 11, 2026, 10:30 AM Asia/Singapore | Features
  • Opinions
  • Tips
  • Whitepapers
  • AWARDS 2026
  • Directory
  • E-Learning

Select Page

Tips

Are your corporate phishing tests harming employee well-being inadvertently?

By L L Seow | Tuesday, August 19, 2025, 4:00 PM Asia/Singapore

Are your corporate phishing tests harming employee well-being inadvertently?

Explore how brute-force phishing tests can impact staffs’ mental health, and apply a framework that protects employee well-being while enhancing cybersecurity.

Phishing attacks are an ever-present threat in the digital workplace, and simulated phishing tests have become one of the most popular tools for boosting employee awareness and organizational defenses.

While these tests are effective in reducing risky behavior, over time, they have started to pose a growing unique danger: overly-punitive in-house testing campaigns can inflict psychological stress, lower morale, and ultimately undermine both security and workplace culture.

It is already bad enough to be exposed to phishing and other cyber threats in the course of work — but having to handle artificial phishing attempts by one’s own colleagues — that is one extra burden that is really unneeded. And while such spot tests can keep certain employees on their toes when responding to emails and other communications, there is growing evidence that the stress can impact mental well-being even among those who routinely pass the tests.

It is time to ask: How can organizations build resilience to phishing without crossing the line into manipulation and employee harm?

Understand the science behind phishing tests
Peer-reviewed research and case studies highlight that phishing simulations — when done competently and responsibly — can significantly reduce click rates and help organizations guard against increasingly sophisticated attacks. However, the psychological dimensions of such testing are frequently overlooked, leading to unintended consequences.

When such testing is not well designed to fit corporate culture, or when penalties are not impacting staff in a manner perceived as fair or commensurate, the following consequences can arise:

  • Elevated stress and anxiety: Employees subjected to punitive or manipulative campaigns report feeling anxious and under constant suspicion. Studies show this can disrupt sleep and mental wellness (Layer8 Security).
  • Shame and disengagement: When staff receive penalties or public shaming for falling for a test, they may become resentful, defensive, or less willing to report real incidents (Hook Security Blog).
  • Trust erosion: Excessive surprise attacks and ambiguous motives create an “us versus them” dynamic, undermining trust between employees, IT, and leadership.
  • Reduction in security effectiveness: Overly harsh or frequent testing may desensitize staff, making them more likely to ignore security warnings or engage in risky behaviors just to avoid penalties (ScienceDirect: Falling for phishing attempts).

Correcting the testing framework
Organizations that have already implemented phishing simulation exercises and tests can consider the following framework as a guide to revamping or fine-tuning the mental-wellness aspects of their current approach. Those that have yet to implement such testing can similarly use the four key thrusts below to ensure that potential vendors and suppliers are updated in their approach to address fairness and inclusiveness:

  • Adopt the right intent and transparent communication
    Phishing simulations are only effective when employees understand their purpose and trust their intent:
    • Communicate clearly: Before launching any campaign, explain to all staff what phishing tests entail, and why they matter. Do not leave room for fear or surprise.
    • Articulate goals: Position simulations as a means to collective protection and professional growth: not as a tool for blame or punishment.
    • Avoid punitive consequences: First-time failures should be met with constructive feedback and education, not threats or disciplinary action.
      • Punishing failures with threats, fines, or disciplinary action creates a hostile environment and may discourage honest reporting or cooperation, which are critical for effective security.
      • Instead, organizations should focus on positive reinforcement, viewing mistakes as opportunities for growth and improvement. This approach fosters trust, reduces anxiety, and encourages a culture where employees feel supported rather than targeted.
      • For those who repeatedly fall victim to phishing simulations, additional training should be empathetic and aimed at addressing underlying causes such as workload stress or lack of understanding—not simply penalizing.
      • Clear communication that phishing tests are designed for team-wide protection — not to catch individuals out — reinforces this mindset and keeps morale intact.
  • Minimize manipulative tactics and maximize empathy
    Organizations need to avoid overreach tactics that weaponize employee psychology for short-term results:
    • Ban manipulative lures: Refrain from using emotional triggers such as fake bonuses, disciplinary threats, or messages that prey on personal fears.
    • Limit test frequency: Too many surprise campaigns breed fatigue and disengagement. Evidence suggests quarterly or biannual simulations are sufficient for most environments (TrustBuilder Ethical Phishing).
    • Protect privacy: Never publicize or ridicule personal failings. Security culture grows through collective resilience, not humiliation.
  • Foster a culture of support and mindfulness

    Research points to the power of positive reinforcement and adaptive learning in security education (Collard, Cyber-Mindfulness):
    • Reward reporting: Encourage employees to flag suspicious messages — even if they had already activated the payload — by recognizing proactive participation and offering incentives for vigilance.
    • Use adaptive feedback: Tailor follow-up training to individual risk profiles, ensuring support for those who struggle — without stigmatizing or singling them out.
    • Promote cyber-mindfulness: Integrate stress management and digital awareness programs into regular security education, reducing anxiety and boosting situational awareness.
  • Hold vendors and leadership accountable
    In a shared responsibility paradigm, the responsibility for ethical phishing testing lies both with software providers and organizational decision-makers:
    • Demand responsible solutions: Insist that vendors supply training modules that warn against punitive practices, highlight psychological risks, and offer guidance in supportive testing.
    • Audit program impact: Regularly assess not just the click rates but also the mental health and morale of staff. If feedback indicates harm, adjust strategies immediately.
    • Set cross-functional policy: Involve HR and wellness teams in designing simulation frameworks that balance security effectiveness with employee care.

Remember, the road to effectively enhanced corporate cybersecurity has to be paved not only with good intentions — education, resilience, and vigilance — but also with empathy, respect, and care for the workforce.


For employees, the onus is on them to improve their cyber awareness levels, seek support from team mates, and help others in turn when appropriate. For organizations and vendors alike, the real measure of success lies in cultivating a culture of shared accountability, trust, and wellbeing. Phishing tests should protect, empower, and unite — not divide or diminish.

Share:

PreviousBusiness SaaS firm discloses social engineering attack on third-party CRM platform
NextViewQwest Powers Next Stage of Enterprise Growth with Appointment of Chief Growth Officer

Related Posts

NGO sets up new Zero Trust Advancement Center

NGO sets up new Zero Trust Advancement Center

Monday, March 14, 2022

The “C” at the C-level does not refer to “cyber resilience”

The “C” at the C-level does not refer to “cyber resilience”

Tuesday, October 24, 2023

Cybersecurity challenges in securing modern power grids: the stakes are higher than ever

Cybersecurity challenges in securing modern power grids: the stakes are higher than ever

Monday, March 24, 2025

Banking scams have hit hard in just the first few weeks of 2024

Banking scams have hit hard in just the first few weeks of 2024

Tuesday, January 16, 2024

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • Critical Security Threatsand the Need for ZTNA: How evolving cyberattacks demand a Zero Trust approach

    Critical Security Threatsand the Need for ZTNA: How evolving cyberattacks demand a Zero Trust approach

    Cyber threats have become more frequent and sophisticated, targeting organizations of all sizes across all …Download Whitepaper
  • Zero Trust Made Simple: Why it matters and how to get started

    Zero Trust Made Simple: Why it matters and how to get started

    Data breaches and cyberattacks are no longer limited to large, high-profile organizations.Download Whitepaper
  • Cloud Secure Edge: Remote access, better security

    Cloud Secure Edge: Remote access, better security

    ​SonicWall Cloud Secure Edge™ is a modern, cloud-native Security Service Edge (SSE) solution that addresses …Download Whitepaper
  • Closing the Gap in Email Security:How To Stop The 7 Most SinisterAI-Powered Phishing Threats

    Closing the Gap in Email Security:How To Stop The 7 Most SinisterAI-Powered Phishing Threats

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • How a Vietnamese D2C retailer built its own secure digital infrastructure

    How a Vietnamese D2C retailer built its own secure digital infrastructure

    Would your organization build your own digital infrastructure – including AI governance and cybersecurity – …Read more
  • Cyber protection for medical clinics in Singapore

    Cyber protection for medical clinics in Singapore

    As Singapore’s healthcare sector becomes increasingly digital and interconnected, clinics are facing heightened cyber risks, …Read more
  • India’s WazirX strengthens governance and digital asset security

    India’s WazirX strengthens governance and digital asset security

    Revamping its custody infrastructure using multi‑party computation tools has improved operational resilience and institutional‑grade safeguardsRead more
  • Bangladesh LGED modernizes communication while addressing data security concerns

    Bangladesh LGED modernizes communication while addressing data security concerns

    To meet emerging data localization/privacy regulations, the government engineering agency deploys a secure, unified digital …Read more

Bottom sidebar

Other News

  • Sparsa AI Launches Sovereign Enterprise AI Platform with Global Deployment at QNET

    Wednesday, July 8, 2026
    The Sparsa AI Enterprise Operating …Read More »
  • Conifers AI Opens Singapore Data Region, Bringing Local Data Residency to Asia-Pacific Security Teams

    Wednesday, July 8, 2026
    With data regions now spanning …Read More »
  • DXC Opens Flagship AI-first Customer Experience Center in Bengaluru

    Tuesday, July 7, 2026
    Strengthens DXC’s India presence with …Read More »
  • D-Link Brings Advanced AI Fall Detection and Privacy Protection to Home Elderly Care with the New DCS-8610 Wi-Fi Camera

    Monday, July 6, 2026
    Advanced technologies traditionally found in …Read More »
  • ICAC Commissioner attends first IAACA European regional anti-corruption conference in Hungary

    Friday, July 3, 2026
    BUDAPEST, Hungary, July 2, 2026 …Read More »
  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2026 CybersecAsia All Rights Reserved.