Programme Best Practices
Programme Best Practices
Running a Successful Security Awareness Programme
PhishGrid is a tool — your programme design determines whether it actually changes behaviour. This guide covers the principles that separate effective programmes from box-ticking exercises.
Core principles
1. Measure, don't punish
The goal of a simulation is to identify gaps and close them through education — not to catch people out and embarrass them. Publicly shaming users who click erodes trust and makes them less likely to report real incidents. Keep individual results confidential; share only aggregated data with managers.
2. Train immediately after failure
The learning window is short. A user who just clicked a simulation link is highly receptive — they're engaged, slightly embarrassed, and motivated to understand what happened. Assign training within 48 hours of a campaign ending, ideally immediately upon the click.
3. Make reporting easy
The report rate is as important as the click rate. If users can't easily report suspicious emails, you're missing half your security programme. Deploy the PhishGrid Report Button to all email clients and promote it actively.
4. Increase difficulty gradually
Start with generic, easy-to-spot templates. As your team improves, increase difficulty. If you start with advanced spear-phishing, you'll demoralise users before they've built any awareness.
5. Communicate the "why"
Users who understand why the programme exists participate more willingly. Brief the organisation before launching — explain that simulations are about making everyone safer, not about catching people out.
6. Get leadership buy-in
Include executives in simulations (they're often the highest-value targets for real attackers). When leadership participates, the programme is taken more seriously across the organisation.
Recommended programme structure
Month 1 — Baseline
- Run a generic phishing campaign across all staff (low difficulty)
- Measure baseline phish rate and report rate
- Assign awareness training to all clickers
- Promote the report button
Month 2–3 — Build awareness
- Follow-up campaign with similar difficulty to baseline
- Compare phish rate — is it improving?
- Train any remaining high-risk individuals
Quarter 2 onward — Targeted and escalating
- Segment by department and run targeted campaigns
- Increase template difficulty for groups that have improved
- Introduce vishing simulations for higher-risk roles
- Monthly or quarterly reporting to leadership
Ongoing — Sustain and test
- Quarterly minimum for all staff
- Event-driven campaigns (after real incidents, new attack types in the news)
- Annual spear-phishing test for executives and privileged users
Common mistakes to avoid
| Mistake | Better approach |
|---|---|
| Only sending easy templates | Gradually increase difficulty as awareness grows |
| Running campaigns but skipping training | Training after every campaign is non-negotiable |
| Sharing individual results with managers | Share aggregated group results only |
| Running annually and calling it done | Quarterly minimum; more for high-risk groups |
| Not measuring report rate | Click rate and report rate are equally important |
| Treating compliance as the goal | Compliance is the floor — behaviour change is the goal |