Podcast Summary: "In-Depth Look at Phishing and Cybersecurity Culture with David Shipley"
Cybersecurity Today | Host: Jim Love | Guest: David Shipley (CEO, Beauceron Security)
Date: January 31, 2026
Episode Overview
This episode takes a deep dive into the current state of phishing threats and the effectiveness of cybersecurity culture, focusing on original research conducted by Beauceron Security in partnership with the University of Montreal. Host Jim Love interviews David Shipley, Beauceron's CEO and regular Cybersecurity Today co-host, exploring new findings on phishing simulations, behavioral training, and the critical role of workplace culture in defending against cyberattacks.
Key Discussion Points and Insights
1. Clarifying Phishing: What It Really Means
-
Definition and Scope ([05:54]):
- Phishing is more than credential theft via email; it includes social engineering attacks through email, SMS ("smishing"), phone ("vishing"), and social media.
- Core concept: manipulation via electronic communications to get someone to act against their interests.
- Quote – David (B):
"Phishing...is the expert use of electronic communications as a delivery mechanism to do manipulation, to get somebody to do something that is against their interest and benefits you...It works on a biological, neurological, psychological level." ([06:01])
-
Economic Impact ([07:10]):
- Business Email Compromise (BEC) is now a larger source of financial loss compared to ransomware—$6 billion last year.
2. Phishing & Cyber Defense Layers
-
Phishing as the Root Cause ([08:29]):
- Most credential thefts are still the result of phishing, despite improvements in backend security.
- Filters/defensive technologies are not foolproof; phishing gets through.
-
Defense-in-Depth Philosophy ([11:45]):
- Layers: Technical filters, human training/response, and incident response if breaches occur.
- Quote – Jim (A):
"Everybody who's a professional...knows you do it in layers and you do each layer knowing something's going to get through. That's just the way of the world." ([13:30])
-
People as Defenders, Not Weaknesses ([12:26]):
- Importance of user reporting and feedback loops—successful programs reward good reporting, not just penalizing clicks.
- Closing the feedback loop improves report rates by 60%.
3. Research Methodology & Ethics
- Large-Scale Data: Nearly 1 million users, 1,400 organizations.
- Collaboration: Unrestricted, anonymized data analysis with the University of Montreal—all findings are transparent and ethically reviewed.
- Bias and Openness: Bosueron Security does not describe itself as a "human risk management" platform to avoid dehumanization and promote positive potential in people.
4. Critical Findings: What the Data Shows
A. Simulation and Training Impact
-
Baseline After Training ([19:02]):
- Typically, 74% of users don’t click on phishing simulations; 26% do.
- Initial click populations can be higher but decrease with well-structured training programs.
-
Simulation as Hawthorne Effect ([21:24]):
- The presence of simulations alone (even without training) is enough to make people more vigilant (“measured, productivity improved”).
- 40% of clicks due to people operating on “autopilot.”
-
Training Decay Over Time ([24:11]):
- Probability of clicking increases with the time since last training:
- Immediately after training: 3.5%
- After 90 days: 15%
- After 180 days: 45%
- After one year: over 95%
- “Not that people forgot knowledge...It’s their willingness to apply the knowledge...their attention.” ([25:14])
- Probability of clicking increases with the time since last training:
B. Why People Click ([27:23]):
-
Top Reasons:
- "Looked legitimate" (~25%)
- "Was expecting something similar" (~25%)
- Muscle memory and workflow ("thought it was safe")
-
Improvements in Realism ([29:56]):
- AI tools are making phishing more convincing and scalable.
- Leveraging personal data for highly tailored attacks (e.g., targeting fans with sports phishing).
-
Wrong Assumptions ([31:43]):
- Anchoring bias: People rely on outdated advice (“look for typos”) that no longer protects against modern phishing.
- Best remedial training addresses emotional intelligence and critical thinking—reducing click rates more effectively than generic instruction.
-
“Why Did You Click?” Survey Results:
- 26%: "I don't remember"—evidence of “system 1” (autopilot) thinking.
- 14%: "I was rushing."
- Only 5%: Fear of consequences for not clicking (fear is not the major driver).
-
Reporting Behavior and Psychological Safety ([36:44]):
- Those afraid of not complying (fear group) had the highest click rates—and were least likely to report mistakes.
- “Post click report rate” (people admitting mistakes after clicking) is a new metric. Changes in messaging increased this rate from 10% to 25%; best environments hit 80%.
5. Culture as a Security Differentiator
Management Tone and Engagement ([38:11]):
-
Strong correlation between leadership's engagement and reduced risk:
- If employees perceive managers care, report rates are 41% higher.
- “Senior leaders matter the most. They are the cultural standard bearer.” ([40:19])
-
Misplaced Faith in IT or Tools ([42:38]):
- Employees thinking “IT handles it” or “the tools will protect me” are more likely to click (up to 83–140% higher rates).
-
Feedback and Positive Reinforcement ([43:50]):
- Automated, contextual feedback boosts accurate reporting by 62%.
- Public shaming, “walls of shame,” are counterproductive; recognition programs create engagement and pride.
Security Culture Scores ([44:56]):
- New metric developed in the report; highlights differences across sectors and organizations.
- Example: Telecoms perform worse than banks, attributed to weaker culture.
6. Remediation and Training Effectiveness
Landing Pages Don’t Work ([48:01]):
- Average time spent on generic “you clicked” landing pages: 11 seconds—insufficient for meaningful learning.
- No-training click rate: 22%
- Landing page only: 20%
- Standard LMS course: 18%
- Customized, context-rich, just-in-time “real-time remediation”: 13.5%
- The best outcome comes from dynamic, personalized training addressing emotional triggers and context.
7. Surprising Findings and Industry Trends
-
Small Companies Outperform Large Ones ([54:12]):
- Lower turnover, stronger culture, shorter communication chains.
- Employees know they have more impact; more personalized environment.
-
Tenure and Compensation Affect Risk ([40:19]):
- Longer tenure and higher pay correlate with safer behavior.
8. Actionable Insights & Takeaways
- Regular, well-designed training with feedback is critical—annual isn’t enough; decay is steep after six months.
- Building a positive, inclusive security culture—rewarding and empowering employees—works better than shaming or command/control.
- Senior management must model good behavior to set the tone.
- Treat users as assets, not liabilities—motivating, rewarding, and giving them a route to recover from mistakes strengthens overall security.
- Beware overconfidence in technology alone—people remain a vital detection and defense layer.
Notable Quotes & Memorable Moments
-
On Phishing:
"It is psychological, it is manipulative, and it works on a fundamental human level."
— David Shipley ([06:10]) -
Culture Matters:
"When employees at organizations find out you bought software that's to manage the human risk, it's incredibly demotivating. I think it's dehumanizing."
— David Shipley ([04:15]) -
Hawthorne Effect / Simulations:
"Phishing Simulations act as the Hawthorne effect inside an organization...they become more vigilant for all emails."
— David Shipley ([21:24]) -
Shaming vs Positive Feedback:
"There is a difference between blame and shame and meaningful personal accountability."
— David Shipley ([17:52]) -
On Fear:
"I was convinced that fear was going to be one of the top answers and it was the lowest answer."
— David Shipley ([35:52]) -
On Post-Click Reporting:
"That is a massive risk reduction for organizations, a massive improvement in psychological safety."
— David Shipley ([36:44]) -
On Learning and Human Potential:
"If you expect the worst in people, you will get the worst. And we're seeing too much of that these days."
— David Shipley ([59:46])
Timestamps for Key Segments
- Phishing definitions and threats: 05:54–09:54
- Defense layers and human factors: 11:45–14:55
- Research approach and biases: 01:47–05:17
- Findings: click rates, reporting, training decay: 19:02–26:13
- Survey: Why do people click? 27:23–36:44
- Management/culture impact: 38:11–44:56
- Training effectiveness breakdown: 48:01–54:12
- Surprises and closing thoughts: 56:44–59:46
Conclusion: Why This Episode Matters
This episode showcases rigorous, large-scale research that debunks myths about user training and reveals the true drivers behind phishing vulnerability. The data proves that attention to culture, well-designed feedback, and positive reinforcement have measurable impacts on reducing risk—far more than heavy-handed penalties. The insights provided are crucial not just for cybersecurity professionals, but for any organization striving to build an effective, human-centered approach to cyber defense.
Access the research report:
- boseronsecurity.com/report (US/global)
- boseronsecurity.ca (Canada)
For further discussion or to request the report directly, connect with David Shipley via LinkedIn.
End of Summary
