Phishing Training Is Evolving: Debrief and Teachable Moments
New USF research shows training everyone — not just the clickers — builds lasting phishing defence. See how empowsec's new Debrief feature delivers.
The Old Playbook Is Showing Its Age For more than a decade, the cybersecurity industry has treated one approach to phishing training as gospel: if an employee clicks a simulated phishing email, drop them onto a warning page and walk them through what they missed. Everyone else — the people who spotted the scam, deleted it, or simply ignored it — gets nothing. This model, known as embedded training, is considered a best practice across the anti-phishing industry. New academic research suggests that "best practice" leaves most of the learning opportunity on the table — and that the moment of failure may be one of the worst possible times to teach. What the USF Research Found A study published in MIS Quarterly by Dezhi Yin and Matthew Mullarkey of the University of South Florida's Muma College of Business, alongside Gert-Jan de Vreede of the Stevens Institute of Technology and Moez Limayem of the University of North Florida, ran three large-scale experiments on a live phishing simulation platform. Thousands of participants received realistic simulated phishing emails. Some received instant feedback the moment they clicked; others received a delayed follow-up days later. The team then
Article details
Category: Security Awareness Tips. Published on Apr 10, 2026.