DefenseCybersecurity

SecTor 2025 | Why Phish if It Doesn't Work? A No BS Take on Why We Need to Phish

Black Hat
Black HatMay 21, 2026

Why It Matters

Organizations risk underinvesting in human‑focused defenses if they accept headlines that dismiss security awareness; effective phishing risk reduction requires varied training, better delivery design, and complementing technical controls rather than abandoning them.

Summary

At SecTor 2025, David Shipley argued that phishing simulations and security awareness remain essential despite recent studies claiming they don’t work. He framed cyber as the interaction of people, technology and control and emphasized that anybody can click—phishing success is driven by human psychology and manipulation, not intelligence. Shipley critiqued oversimplified headlines and flawed interpretations of research, noting that delivery mechanisms (for example, scary post‑click landing pages) vary widely in effectiveness and that some interventions do reduce risk. He warned against treating awareness training and technical controls like mutually exclusive choices, urging blended, evidence‑based approaches.

Original Description

Who would have thought that in 2025, we would still need to advocate for the importance of phishing simulations, but here we are. No matter how sophisticated our technical controls are, emails are still swimming past our filters and landing in employee inboxes. If they are our first or even last line of defense, how do we expect them to help us spot threats when they've never encountered them in the real world?
In a 2024 paper released by tech giants, some argue that phishing simulations are useless fire drills that do little to change behavior. Here's the kicker: Research proves that when people aren't educated on mindfulness and encounter a tricky situation, they're going to respond in risky ways.
The technology fallacy that you can fix the tech, not the people, isn't true. Emotional intelligence is our greatest strength as humans. Technical defenses are essential but not foolproof. Harnessing the human factor by educating them through emotional experience will improve your ability to identify and respond to real threats landing in their inboxes.
This talk will share insights from collaborative research with the University of Montreal over the past two years, looking at cybersecurity awareness and phishing simulation data from hundreds of organizations and hundreds of thousands of people around the world. Attendees will explore dimensions of the interaction between humans and cybersecurity. The presentation will connect the data to insights from neuroscience, biology, psychology, and behavioural economics, showing what we have learned and the next questions we should all be looking to answer.
By: David Shipley | CEO, Field CISO, Beauceron Security

Comments

Want to join the conversation?

Loading comments...