Proofpoint Security Awareness Training
Exploratory Research | User Interviews | Experience Design | Service Design
Proofpoint Security Awareness Training Phishing Simulation Follow Up
Proofpoint Security Awareness Training (PSAT for short) is an industry leader in cybersecurity training and awareness. They provide online training and assessments, tools to report suspicious emails, and simulated phishing tests.
The Problem
Phishing simulations, sending employees fake phishing emails, are a key part of any successful security awareness program. These simulations help administrators know what kinds of lures would work best against their end-users and what kind of training assignments they need to get those end-users ready for the real thing.
As important as phishing simulations are for an awareness program, the experience of falling for a simulated phish is the end-users’ least favorite part. No one wants to feel like they’ve been tricked, especially not by employer. Traditional failure experiences can be alienating, often times using error warnings, a harsh tone of voice in the writing, or a complete lack of follow up information from the employer.
The content team and I thought that our phishing simulator could do it better.
The Exploratory Research
I began by interviewing customers to understand how they are thinking about their end-user’s experience after they fail a phishing simulation and how the current experience stacks up to their expectations.
Taking those interview results, I then launched a survey to refine more of that data.
The Findings
Interview and survey data show users want a shorter landing page with kinder, more reassuring messaging.
Data also shows users want to include a follow up email with highlights showing what to look for in an email, as well as instructions for a real life phish.
The follow up emails will also have to be able to be turned off and on.
Users still want to edit both landing pages and follow up emails.
Auto Enrollment Training Assignments can remain unchanged for continued use.
Based on these findings, I proposed a new ‘post failure experience.’
The Design Process
I started by mapping out a new experience that starts the moment an end-user clicks a simulated phish.
A short webpage with friendly, non-threatening messaging opens in a new browser window.
Between one hour and one day after clicking the simulated phish, the end-user receives a follow up email from their admin. This email would show an image of the simulation with indicators showing what parts of the email to look out for in the future.
A day or two after clicking the simulated phishing email, the end-user will receive a training assignment to reenforce the previous training they’ve taken.
Working with the content team, we created an easily replicable email layout that would load in an email client.
The content team and I also created new landing pages for the overall experience.
As part of the design and testing process, three different landing pages were created.
Validation
To check our assumptions, I built a clickable prototype that replicated what an end-user would see and feel when receiving a simulated phish and what they see and feel when they click.
Using a random A/B/C testing method, the prototype showed each end-user participant a different landing page from the three options. I had participants score the landing pages in order to compare them for our results.
I also changed the timing of when participants received the follow up email.
The Outcome
Based on the end-user usability test’s findings and our customer’s feedback about the emails and landing pages, our content team began working on this new package of content and the phishing simulation team has scheduled work to build out the new experience.
