Security Awareness TipsProduct Updates

Phishing Training Is Evolving: Debrief and Teachable Moments

Marcus Chen··6 min read
Team of employees in a bright office reviewing cybersecurity training materials together

The Old Playbook Is Showing Its Age

For more than a decade, the cybersecurity industry has treated one approach to phishing training as gospel: if an employee clicks a simulated phishing email, drop them onto a warning page and walk them through what they missed. Everyone else — the people who spotted the scam, deleted it, or simply ignored it — gets nothing. This model, known as embedded training, is considered a best practice across the anti-phishing industry.

New academic research suggests that "best practice" leaves most of the learning opportunity on the table — and that the moment of failure may be one of the worst possible times to teach.

What the USF Research Found

A study published in MIS Quarterly by Dezhi Yin and Matthew Mullarkey of the University of South Florida's Muma College of Business, alongside Gert-Jan de Vreede of the Stevens Institute of Technology and Moez Limayem of the University of North Florida, ran three large-scale experiments on a live phishing simulation platform. Thousands of participants received realistic simulated phishing emails. Some received instant feedback the moment they clicked; others received a delayed follow-up days later. The team then tracked how those participants fared against fresh phishing attempts over the following weeks and months.

Their findings challenged the industry orthodoxy on two counts.

"Giving feedback only to the people who clicked the 'fake' phishing email misses a big opportunity. We found that employees learn better when everyone — even those who didn't fall for it — gets a follow-up message explaining the phishing test." — Dezhi Yin, University of South Florida

The Two Blind Spots in Just-in-Time Training

The researchers identified two specific shortcomings in the traditional embedded training model:

  1. Limited reach. Only the employees who fail the test receive any training. The ones who spotted the scam may be just as unprepared for the next, more sophisticated attack — they simply got lucky on this one.
  2. Counterproductive timing. Catching employees at the exact moment of failure can backfire. Feeling exposed or caught out, people become defensive. The emotional reaction crowds out the intended lesson.

The alternative the researchers recommend is what they call a non-embedded approach: feedback delivered to the entire group after the simulation has run its course, reframing the exercise as a shared, blame-free learning moment. The delayed, universal approach produced stronger recognition of phishing attempts and longer-lasting behaviour change across the study's follow-up windows.

Introducing Debrief: Every Employee Gets the Lesson

Debrief is a new feature in empowsec that maps almost exactly onto the USF team's recommendation. When an administrator launches a phishing simulation, they can enable Debrief and set a delay — three days by default — after which the platform automatically dispatches a personalised follow-up to every participant.

Each debrief contains:

  • The campaign name and a short recap of the exercise
  • Aggregate campaign statistics: open rate, click rate, report rate and reply rate
  • The specific red flags hidden in the phishing template, so employees can see exactly what they were supposed to notice
  • A customisable message from the security team, with personal variables like the recipient's first name, department and company name

For organisations using the empowsec mobile app, debriefs also trigger a push notification so employees can revisit the content from their dashboard at any time. The debrief is stored in the platform too, giving everyone a shared reference point long after the campaign has wrapped.

The design is deliberately universal. An employee who recognised the scam gets the same educational content as one who clicked — reinforcing their instincts and teaching them the exact indicators that tripped up their peers. That is precisely the pattern the USF team found to drive lasting behaviour change.

Teachable Moments, Reimagined

The USF research doesn't suggest eliminating the click-time intervention entirely — but it does warn against making it feel punitive. Defensive employees don't learn, they justify.

Teachable Moments is empowsec's answer. Instead of a shaming "gotcha" landing page, an employee who clicks a simulated phishing link is taken to a calm, reassuring screen that makes three things immediately clear:

  • The email was an authorised security test from their own organisation
  • Their device has not been compromised and no real damage has occurred
  • Here are the exact red flags they could have spotted — explained in plain language, with no blame

Where it makes sense, a Teachable Moment can also trigger an automatically assigned refresher course, closing the loop between the simulation and the rest of an organisation's security awareness training curriculum. But the touchpoint itself is deliberately supportive. The goal is to lower the emotional temperature of the moment, not raise it.

Combined with the universal Debrief that follows a few days later, Teachable Moments become one part of a larger feedback loop rather than a standalone punishment.

Why This Matters as AI Supercharges Phishing

The USF study lands at a moment when phishing is getting significantly harder to spot. Generative AI has erased the grammar mistakes and awkward translations that used to give attackers away. Deepfake voice and video are now cheap enough to use in targeted attacks. The red flags that worked for training in 2020 simply don't cover every modern attempt.

In that environment, who receives training matters as much as what the training covers. If only the employees who already failed get a follow-up, an organisation is building its defences around its weakest recent performers — while the rest of the workforce drifts further out of date. Universal reinforcement closes that gap.

As Yin put it: "Employees are widely considered the last line of defense in the anti-phishing training industry. Non-embedded training provides a more effective alternative to fortify this last defense than the status quo."

Key Takeaways

  • Train everyone, not just the clickers. Peer-reviewed research now shows that employees who spotted the scam benefit from a debrief too — and retain the lesson longer.
  • Delay the follow-up. A few days between the simulation and the debrief gives employees space to process without defensiveness.
  • Keep click-time interventions kind. Shaming landing pages create defensive reactions that block learning. Reassurance is a better teacher than embarrassment.
  • Close the loop. Pair in-the-moment Teachable Moments with a universal Debrief and optional remedial training for a complete feedback cycle.
  • Review your current phishing simulation platform. If it only trains the employees who fail, you're leaving most of the learning opportunity on the table.

Debrief and Teachable Moments are available now in empowsec. Existing customers will find them as campaign-level options when creating or editing a phishing simulation — no configuration required beyond enabling the features and choosing a delay.

Tags: #phishing #employee training #phishing simulation #security awareness training #product update
Share:

Related Articles