Cybersecurity Today – “Final Encore Episode: Research, Cybersecurity Awareness and Training”

Host: Jim Love
Guests: Michael Joyce (CEO, Human Centric Cybersecurity Partnership, U Montreal), David Shipley (CEO, Beauceron Security)
Date: January 3, 2026

Episode Overview

This episode centers on the intersection of academic cybersecurity research and real-world practices in cyber awareness and training. Jim Love hosts a candid, data-driven discussion with Michael Joyce and David Shipley about what actually works in human-centric cybersecurity defense, the impact and decay of cybersecurity awareness, the effectiveness (and pitfalls) of training, and the dangers of over-simplified, headline-driven industry conclusions. The dialogue is anchored in recently published large-scale research from Beauceron Security and the University of Montreal, providing rare clarity on how often—and how—organizations should train their employees, what motivates users to report or ignore threats, and how to evaluate research responsibly.

Key Discussion Points and Insights

1. Human-Centric Cybersecurity Research in Canada

• [02:15] Michael Joyce explains UMontreal’s Human Centric Cybersecurity Partnership:

  • Focuses on cybersecurity through humanities, social and behavioral sciences, complementing technical research.
  • Tackles projects from “defending democracy” to practical security interface design to make security usable and effective for real people.
  • “They’re going humanities, psychology, behavioral sciences, political science first... trying to find some more lasting solutions.” —Michael Joyce

• [03:46] Host Jim Love laments the lack of recognition for Canadian university research, urging pride and awareness of academic contribution to global cybersecurity.

2. The Messy Human Problem in Cybersecurity

• [04:14-06:18] David Shipley, with a liberal arts background, champions the need to complement hard STEM approaches with human and cultural insights.
• The conversation elicits the recurring industry admission: “the technology is not the problem, buddy. It’s culture, it’s people, it’s behavior... and then we’ll immediately start talking about the tech again.” —Jim Love ([04:51])
• Industry often prefers technical solutions because they're quantifiable; human issues feel messier, harder to measure, and easier to sideline.

3. The Ethics and Value of Research Collaboration

• [07:24-08:54] David Shipley discusses partnering with independent academic researchers:

  • Ensures broader perspectives and increased research validity.
  • “Go find researchers who know things you don't... it gives greater validity to some of the findings.” —David Shipley

• Jim Love highlights the common pitfall of commercial bias in corporate research, emphasizing the importance of independent review and humility.

4. The Impact and Limits of Cybersecurity Awareness Month

Big Data, Big Insights: What Actually Changes

• [13:08] Joyce and Shipley explain their access to a historic dataset of 700+ Canadian organizations and 250,000 people.

• [14:37] Key Findings:

  • Increase in Activity: October (Cybersecurity Awareness Month) led to 13–23% more phishing simulations.
  • Behavioral Change: Phishing click rates dropped by 11–12%, and real phishing email reports increased by 6–16%.
  • Reporting Fatigue: Reports of phishing simulations actually dropped by 5–7%—suggesting possible security fatigue.
  • Takeaway: Awareness initiatives drive action, but overdoing it may backfire (“security fatigue”).

• Memorable Quote:

  “We can say that during the month of October... there is a decrease in the clicks on phishing simulation emails of above 10%... But in phishing simulation reporting, there is a decrease. So... it might speak to perhaps security fatigue.”
  —Michael Joyce ([14:37])

5. The Goldilocks Zone of Phishing Simulation Frequency

• [19:06-23:15] David Shipley discusses findings on simulation frequency:

  • Phishing More Than Monthly: Click rate 3.5%, report rate 20%
  • Phishing Monthly: Best outcome: Click rate 3.05%, report rate 25%
  • Phishing Less Than Monthly: Click rate 5%, report rate 15%
  • Monthly cadence with ethical, unpredictable, and meaningful simulations (not punitive “gotchas”) is most effective.

• [21:40] Shipley’s story: Woman caught by a Taco Bell phishing sim sent for three hours of “Taco Bell Alcatraz” training—used as a caution against punitive or excessive measures.

  “No, guys, this is not the way to do this... You know, there's a way to do phishing well, there are a lot of ways to do it horribly.” —David Shipley

6. Awareness as a Temporary State—And the Nature of Decay

• [23:49-28:36] Michael Joyce deconstructs “awareness”:

  • Awareness/vigilance fades; it’s not a permanent “state change.”
  • Training isn’t a software patch—humans are wired to return to baseline vigilance quickly.

• Decay Curve:

  • Right after training: 98%+ report likely
  • 1 month: 97%, 3 months: 90%, 6 months: 60%, 1 year: 4%
  • [39:43] Click probabilities after training: 3.5% → 5.7% (30 days) → 9.3% (90d) → 22% (120d) → 45% (6mo) → 95% (1yr)

• Key Insight: Most employees do “nothing” calorically (most efficient), followed by deleting or reporting. Not reporting isn’t apathy—sometimes it’s efficiency.

7. Reporting and Motivation—Why (and Why Not) People Report

• [30:14-34:48] Shipley: Reporting is a benevolent behavior with a cost. Motivation to report must be sustained with feedback loops that make it worth the user’s time.

  • Closing the loop (“here’s what you reported and why it matters”) significantly boosts report rates (to 50%+ in organizations that do it well).

  “Reporting can help protect everybody... But the other deeper opportunity is that reporting is more beneficial to you than not reporting... So we got to make it worth more.” —David Shipley

• [35:17] Joyce: Reporting is distinct behavior from clicking; motivations, decay curves, and implications all differ.

8. Why People Click—Motivations Unmasked

• [45:44-50:00] New Beauceron survey of 4,500+ clickers (across 211 orgs):

  • Top reasons for clicking:
    • “It looked legitimate / I was expecting something similar” (50% – i.e., mimicry).
    • “I was rushing” (17%).
    • “I don’t remember” (21%).
    • “Curious” (6%) and “Afraid” (5%) were much smaller motivators than expected.
  • Interpretation: Many clicks reflect work habits (speed, volume) more than emotional manipulation or lack of training.

  “(Rushing and memory lapses) means that 38% of clicks, I hypothesize, have more to do with the how we work with email than any of the inherent knowledge...” —David Shipley

9. The Black Hat Controversy—Why Headlines Can Harm

• [55:33-66:20] The trio addresses recent headlines claiming “phishing training doesn’t work,” criticizing the over-simplification:

  • The referenced academic study in fact only proved that annual training alone is insufficient.

  • Most industry clickbait headlines misrepresent findings, creating harmful narratives.

  • “What passes for research at times in this industry is appalling... If you’re going to say something like all phishing training is useless, I want receipts.” —Jim Love ([69:47])

  • Shipley notes baseline click rates in untrained orgs are ~30%—far higher than among those with any meaningful program.

  • Training effectiveness, delivery mechanisms, feedback loops, and frequency all affect outcomes—but the worst approach is doing nothing.

10. Critical Thinking, Not Cynicism

• [81:49–end] Final takeaways:
  • Think critically, not cynically, about security training, research, and headlines.
  • Cybersecurity education must be part of layered defense (“defense in depth”).
  • Ignore absolutes—effective programs are about optimizing frequency, feedback, and engagement.
  • Forge partnerships between practitioners and researchers; seek empiricism and ongoing measurement.

Key Quotes & Memorable Moments

• On vigilance and decay:

  “If you train somebody on something once and you provide them awareness, it is not a software patch. You cannot expect them to maintain that state of awareness.”
  —Michael Joyce ([00:35, 24:25])

• On data-driven results:

  “Awareness does something. The idea that awareness does nothing—we have data to suggest that it changes how companies interact with their employees and how employees interact with the phishing simulations... but it seems to have a temporal limitation.”
  —Michael Joyce ([43:59])

• On optimal frequency:

  “Annual cybersecurity training as our data has shown... will not move the needle in an impactful way on phishing risk. ...Once a year is not enough.”
  —David Shipley ([41:28])

• On misleading research:

  “What passes for research at times in this industry is appalling. …[If] you’re going to say something like all phishing training is useless, I want receipts, I want data before you say something like that.”
  —Jim Love ([69:47])

• On layered defenses:

  “We have claimed for ages that we need layers. We need layered defenses. The second thing that we've claimed is that people are our greatest defense. So let's stop talking about people as our greatest weakness. Let's talk about people as our greatest defense.”
  —Jim Love ([81:56])

Timestamps for Important Segments

| Topic/Segment | Timestamp | |-------------------------------------------------|-----------------------| | Human-centric research at UMontreal | [02:15] – [03:46] | | People vs. technology/culture in security | [04:14] – [06:18] | | Ethics and value of academic–corporate collab | [07:24] – [08:54] | | Dataset overview, Cyber Awareness Month impact | [13:08] – [14:37] | | Phishing sim frequency Goldilocks zone | [19:06] – [23:15] | | Awareness as state, decay over time | [23:49] – [28:36] | | Reporting motivation & feedback loops | [30:14] – [35:17] | | Why people click — survey & insights | [45:44] – [50:00] | | Black Hat, headlines controversy | [55:33] – [66:20] | | Conclusion: defense in depth, critical thinking | [81:49] – [end] |

Practical Takeaways

• Monthly randomized phishing simulations (with ethical boundaries and unpredictability) produce the best outcomes.
• Phishing awareness is not permanent—skills degrade rapidly, with significant loss in vigilance after 90 days; annual training is insufficient.
• Reporting is a separate behavior from “not clicking”; must be encouraged via feedback.
• Motivations for clicking are usually benign—mimicry, “I was rushing,” and “I don’t remember,” rather than fear or ignorance.
• Overreliance on headlines and single studies is dangerous; always seek the nuance, context, and lived experience in application and research results.
• Partnerships between researchers and practitioners are essential for evolving, optimizing, and validating cybersecurity programs.

Closing Thoughts

The episode makes an eloquent case for interdisciplinary humility, the value of empiricism, and the importance of critical (not cynical) reading of both research and media on cybersecurity awareness. The findings are clear: neither too much nor too little training works. The “Goldilocks solution” is a measured, data-driven approach—one that treats users as assets, not liabilities, and centers on practical, psychologically-informed, and constantly-refined programs.

[Prepared for those who want actionable insights without sitting through the full episode—quotes and context provided for credibility and further listening.]