Why Your Employees Keep Clicking
(and It’s Not Because They’re Dumb)
Dear CISO,
You don’t need another phishing dashboard.
You need fewer repeat names on the list.
You’ve rolled out awareness campaigns, trained, tested, re-tested, and still — someone clicks.
Every. Single. Quarter.
Then, in the post-mortem, someone mutters the magic words:
“It was human error.”
But you and I both know that’s lazy.
It wasn’t “error.” It was predictability.
Humans Aren’t the Weakest Link — They’re the Easiest Pattern
Hackers have cracked something we still overcomplicate: the human mind.
They don’t need new malware when centuries of psychology work just fine.
Urgency.
“Do it now or lose everything.”
The same FOMO trick airlines use — now in your inbox, complete with countdown timer.
Authority.
“From: CEO@company.co”
If the “boss” says buy gift cards, nobody stops to ask if the boss suddenly discovered retail therapy.
Curiosity.
“Oooh, what’s this?”
Half your staff clicks just to see what happens. Spoiler: malware happens.
Hackers don’t hack systems first — they hack instincts.
My Wake-Up Call
Once, I had a list — the repeat offenders.
Same names, same clicks, same “Oops, my bad.”
We coached them, we retrained them, we even resent the same phish with all the red flags circled like a pop quiz.
Guess what?
They failed it again.
That’s when I stopped blaming awareness.
This wasn’t ignorance. It was culture — and the absence of consequence.
If clicking twice costs nothing, then it means nothing.
The Real Problem With Phishing Programs
You know the cycle:
Test → Click → Report → Move on.
No conversation. No feedback. No consequence. Just rinse and repeat.
That’s not resilience — that’s background noise.
Culture can’t change when clicks don’t carry weight.
The Economics of a Click
Every compromised credential costs roughly $1,200–$2,000 in soft losses — investigation, downtime, containment, cleanup.
Now multiply that by your annual repeat-click rate.
That’s not “training budget.” That’s behavioral debt.
You can pay it now — with reinforcement — or pay it later, with incident response.
Map escalation clearly:
First repeat → Coaching.
Second → Manager loop-in.
Third → HR involvement or limited access until retrained.
Accountability ≠ punishment. It’s feedback with teeth.
So What Works?
(Spoiler: Not More Videos)
Targeted Coaching
Bring repeat-clickers in. Not to shame, but to decode.
Ask: “What made you act?”
Train the instinct, not the intellect.Peer Learning Debriefs
Pair the “clickers” with those who spotted the phish.
Nothing drives learning faster than hearing, “Here’s how I caught it.”Tiered Accountability
Map escalation clearly:
First repeat → Coaching.
Second → Manager loop-in.
Third → HR involvement or limited access until retrained.
Accountability ≠ punishment. It’s feedback with teeth.
Positive Reinforcement
Celebrate recoveries.
Reward those who report suspicious emails or improve post-failure.
Culture shifts faster when success feels visible.
What to Measure
(Beyond Click Rate)
If you’re still reporting “phish-click %” to the board, it’s time to evolve.
Better metrics:
Reduction in repeat offenders quarter over quarter.
Average time-to-report suspicious emails.
Manager participation rate in coaching.
Improvement ratio — how many recover, not just how many fail.
Flat numbers = wallpaper culture.
Movement = maturity.
Your Job Isn’t to Stop Every Click
It’s to make sure every click means something.
A click should trigger reflection, not resignation.
It should lead to a conversation, not a cleanup ticket.
Each one is telemetry — data about how your people perceive pressure, authority, and consequence.
Hackers read those signals faster than most organizations do.
It’s time we caught up.
Sincerely,
A fellow defender who’s tired of blaming humans.
Because “human error” isn’t the cause —
it’s the consequence of leadership silence.
And hackers? They’re just betting you won’t follow through.
CISO Takeaway
Humans aren’t dumb — they’re designed to respond.
Clicks aren’t failure — they’re feedback.
“Human error” = unreinforced behavior.
Culture without consequence is wallpaper.
Build feedback loops, not finger-pointing.
