Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
Malvertising campaign targets Android users with advanced crypto-steal...
How are people in 15 countries leveraging AI for travel planning?
Insider threats cited alongside external attacks in terms of severity:...
How are people in 15 countries leveraging AI for travel planning?
North America financial institutions lead surge in financial regulator...
LOGIN REGISTER
CybersecAsia
  • Features
    • Featured

      Resilience the true benchmark for smart infrastructure

      Resilience the true benchmark for smart infrastructure

      Wednesday, August 27, 2025, 8:21 PM Asia/Singapore | Features, IoT Security
    • Featured

      Deepfake a crisis of trust, not just technology

      Deepfake a crisis of trust, not just technology

      Tuesday, August 19, 2025, 10:06 AM Asia/Singapore | Features
    • Featured

      When talking sense into AI power mongers fails, talk $$$: A message from AI

      When talking sense into AI power mongers fails, talk $$$: A message from AI

      Thursday, August 14, 2025, 12:26 PM Asia/Singapore | Features
  • Opinions
  • Tips
  • Whitepapers
  • Awards 2025
  • Directory
  • E-Learning

Select Page

Tips

Are your corporate phishing tests harming employee well-being inadvertently?

By L L Seow | Tuesday, August 19, 2025, 4:00 PM Asia/Singapore

Are your corporate phishing tests harming employee well-being inadvertently?

Explore how brute-force phishing tests can impact staffs’ mental health, and apply a framework that protects employee well-being while enhancing cybersecurity.

Phishing attacks are an ever-present threat in the digital workplace, and simulated phishing tests have become one of the most popular tools for boosting employee awareness and organizational defenses.

While these tests are effective in reducing risky behavior, over time, they have started to pose a growing unique danger: overly-punitive in-house testing campaigns can inflict psychological stress, lower morale, and ultimately undermine both security and workplace culture.

It is already bad enough to be exposed to phishing and other cyber threats in the course of work — but having to handle artificial phishing attempts by one’s own colleagues — that is one extra burden that is really unneeded. And while such spot tests can keep certain employees on their toes when responding to emails and other communications, there is growing evidence that the stress can impact mental well-being even among those who routinely pass the tests.

It is time to ask: How can organizations build resilience to phishing without crossing the line into manipulation and employee harm?

Understand the science behind phishing tests
Peer-reviewed research and case studies highlight that phishing simulations — when done competently and responsibly — can significantly reduce click rates and help organizations guard against increasingly sophisticated attacks. However, the psychological dimensions of such testing are frequently overlooked, leading to unintended consequences.

When such testing is not well designed to fit corporate culture, or when penalties are not impacting staff in a manner perceived as fair or commensurate, the following consequences can arise:

  • Elevated stress and anxiety: Employees subjected to punitive or manipulative campaigns report feeling anxious and under constant suspicion. Studies show this can disrupt sleep and mental wellness (Layer8 Security).
  • Shame and disengagement: When staff receive penalties or public shaming for falling for a test, they may become resentful, defensive, or less willing to report real incidents (Hook Security Blog).
  • Trust erosion: Excessive surprise attacks and ambiguous motives create an “us versus them” dynamic, undermining trust between employees, IT, and leadership.
  • Reduction in security effectiveness: Overly harsh or frequent testing may desensitize staff, making them more likely to ignore security warnings or engage in risky behaviors just to avoid penalties (ScienceDirect: Falling for phishing attempts).

Correcting the testing framework
Organizations that have already implemented phishing simulation exercises and tests can consider the following framework as a guide to revamping or fine-tuning the mental-wellness aspects of their current approach. Those that have yet to implement such testing can similarly use the four key thrusts below to ensure that potential vendors and suppliers are updated in their approach to address fairness and inclusiveness:

  • Adopt the right intent and transparent communication
    Phishing simulations are only effective when employees understand their purpose and trust their intent:
    • Communicate clearly: Before launching any campaign, explain to all staff what phishing tests entail, and why they matter. Do not leave room for fear or surprise.
    • Articulate goals: Position simulations as a means to collective protection and professional growth: not as a tool for blame or punishment.
    • Avoid punitive consequences: First-time failures should be met with constructive feedback and education, not threats or disciplinary action.
      • Punishing failures with threats, fines, or disciplinary action creates a hostile environment and may discourage honest reporting or cooperation, which are critical for effective security.
      • Instead, organizations should focus on positive reinforcement, viewing mistakes as opportunities for growth and improvement. This approach fosters trust, reduces anxiety, and encourages a culture where employees feel supported rather than targeted.
      • For those who repeatedly fall victim to phishing simulations, additional training should be empathetic and aimed at addressing underlying causes such as workload stress or lack of understanding—not simply penalizing.
      • Clear communication that phishing tests are designed for team-wide protection — not to catch individuals out — reinforces this mindset and keeps morale intact.
  • Minimize manipulative tactics and maximize empathy
    Organizations need to avoid overreach tactics that weaponize employee psychology for short-term results:
    • Ban manipulative lures: Refrain from using emotional triggers such as fake bonuses, disciplinary threats, or messages that prey on personal fears.
    • Limit test frequency: Too many surprise campaigns breed fatigue and disengagement. Evidence suggests quarterly or biannual simulations are sufficient for most environments (TrustBuilder Ethical Phishing).
    • Protect privacy: Never publicize or ridicule personal failings. Security culture grows through collective resilience, not humiliation.
  • Foster a culture of support and mindfulness

    Research points to the power of positive reinforcement and adaptive learning in security education (Collard, Cyber-Mindfulness):
    • Reward reporting: Encourage employees to flag suspicious messages — even if they had already activated the payload — by recognizing proactive participation and offering incentives for vigilance.
    • Use adaptive feedback: Tailor follow-up training to individual risk profiles, ensuring support for those who struggle — without stigmatizing or singling them out.
    • Promote cyber-mindfulness: Integrate stress management and digital awareness programs into regular security education, reducing anxiety and boosting situational awareness.
  • Hold vendors and leadership accountable
    In a shared responsibility paradigm, the responsibility for ethical phishing testing lies both with software providers and organizational decision-makers:
    • Demand responsible solutions: Insist that vendors supply training modules that warn against punitive practices, highlight psychological risks, and offer guidance in supportive testing.
    • Audit program impact: Regularly assess not just the click rates but also the mental health and morale of staff. If feedback indicates harm, adjust strategies immediately.
    • Set cross-functional policy: Involve HR and wellness teams in designing simulation frameworks that balance security effectiveness with employee care.

Remember, the road to effectively enhanced corporate cybersecurity has to be paved not only with good intentions — education, resilience, and vigilance — but also with empathy, respect, and care for the workforce.


For employees, the onus is on them to improve their cyber awareness levels, seek support from team mates, and help others in turn when appropriate. For organizations and vendors alike, the real measure of success lies in cultivating a culture of shared accountability, trust, and wellbeing. Phishing tests should protect, empower, and unite — not divide or diminish.

Share:

PreviousBusiness SaaS firm discloses social engineering attack on third-party CRM platform
NextViewQwest Powers Next Stage of Enterprise Growth with Appointment of Chief Growth Officer

Related Posts

Passkeys make deeper inroads in 2023

Passkeys make deeper inroads in 2023

Monday, February 5, 2024

Countering unauthorized drone activity with advanced alerting functionality

Countering unauthorized drone activity with advanced alerting functionality

Thursday, June 11, 2020

Ukraine-Russian cyber war groups resorting to fake news for gaining mindshare

Ukraine-Russian cyber war groups resorting to fake news for gaining mindshare

Tuesday, March 8, 2022

Cybercriminals have their eyes on compromising software patches now

Cybercriminals have their eyes on compromising software patches now

Tuesday, July 23, 2024

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
previous arrow
next arrow

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • 2024 Insider Threat Report: Trends, Challenges, and Solutions

    2024 Insider Threat Report: Trends, Challenges, and Solutions

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
  • AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    The future of cybersecurity is a perfect storm: AI-driven attacks, cloud expansion, and the convergence …Download Whitepaper
  • Data Management in the Age of Cloud and AI

    Data Management in the Age of Cloud and AI

    In today’s Asia Pacific business environment, organizations are leaning on hybrid multi-cloud infrastructures and advanced …Download Whitepaper
  • Mitigating Ransomware Risks with GRC Automation

    Mitigating Ransomware Risks with GRC Automation

    In today’s landscape, ransomware attacks pose significant threats to organizations of all sizes, with increasing …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • CISOs can navigate emerging risks from autonomous AI with a new security framework

    CISOs can navigate emerging risks from autonomous AI with a new security framework

    See how security leaders can adopt layered strategies addressing intent, governance, and oversight to manage …Read more
  • MoneyMe strengthens fraud prevention and credit decisioning

    MoneyMe strengthens fraud prevention and credit decisioning

    Australian fintech strengthens risk management with SEON to scale lending operations securely and efficiently.Read more
  • PT Kereta Api Indonesia announces nationwide email and communication overhaul

    PT Kereta Api Indonesia announces nationwide email and communication overhaul

    The state railway operator’s upgraded email system improves privacy, operational reliability, and regulatory alignment for …Read more
  • Operationalizing sustainability in cybersecurity: Group-IB’s approach

    Operationalizing sustainability in cybersecurity: Group-IB’s approach

    See how the firm turned malware-group takedowns into measurements of sustainability and resilience gains: by …Read more

Bottom sidebar

  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2025 CybersecAsia All Rights Reserved.