Beyond Compliance: A Global Phishing Program Redesign

Financial services | Global organization (20,000+ employees)

Client snapshot

Industry: Finance
Scale: 20,000+ employees across multiple continents
Context: Highly regulated environment with significant cybersecurity risk

The problem

Phishing is the number one cybersecurity risk for financial institutions. While the client organization already ran quarterly phishing simulations for employees, the process had become increasingly frustrating and ineffective.

From the client’s perspective:

  • The process was time-consuming and had to be repeated every quarter
  • Staff didn’t seem to be learning – especially the infamous “repeat clickers”
  • Follow-up after failures was inconsistent across business units
  • The existing tools felt limited

As a result, some team members began to question whether the only way forward was to invest in a new, costly platform – a decision that would take significant time and budget.

The real challenge

The challenge wasn’t a lack of commitment or expertise. The team was highly experienced in information security and deeply invested in building a strong security culture.

However, several underlying challenges reinforced each other:

  • Learning design did not support behavior change
    Employees had very limited practice opportunities, and in some cases the feedback (unintentionally) reinforced shame, rather than building skill and confidence.
  • Processes were fragmented
    Each business unit interpreted the program slightly differently, which created inconsistencies and repeated effort.
  • Metrics didn’t reflect reality
    The metrics were focused on content production rather than behavior change. Leaders couldn’t tell what was actually working or how to improve it.
  • Compliance pressure raised the stakes
    “We sent out training” is no longer sufficient in today’s risk landscape. The organization needed defensible evidence of performance, learning, and continuous improvement.

The approach

Rather than treating phishing as a content makeover, I approached it as a behavior change and process design challenge.

1. Understanding the system

Keeping in mind the organization’s mission, values and strengths, I proceeded to:
Interview stakeholders across business units to surface pain points and constraints
Evaluate existing materials against learning and behavioral design principles
Document the end-to-end phishing process in a clear visual map

2. Redesigning for learning and efficiency

Collaborating with internal experts, we decided that the new system must:
Support repeated practice and progressive learning
Produce meaningful, interpretable data
Work within existing tools

Keeping these requirements in mind, I recommended the following:
Standardizing the global process across all business units
Reframing failure as part of learning, not punishment
Introducing consistent, supportive follow-up for repeat clickers
Tracking metrics that reflected both behavior and learning effectiveness

3. Making the change work in practice

Once we had agreed upon a redesigned approach, I developed a full set of assets to help support the change, including:
Progressive interventions for repeat clickers
Interactive learning resources and practice games (I can show an example game)
Clear, coordinated communications (emails, FAQs, global articles)
Surveys capturing attitudes toward security

Results & Impact

A more secure organization

The redesigned program changed how employees experienced phishing simulations. Instead of a one-off test followed by a generic warning, people were given repeated opportunities to practice and improve. By addressing and reinforcing the right behaviors, rather than just “knowledge and awareness”, the program supported more secure decision-making, thereby reducing human-related security risks.

Just as importantly, thanks to the revised measurement strategy, the team could now see not only who clicked, but whether the learning approach itself was effective.

A scalable, consistent global process

Behind the scenes, the program became far more consistent. Having a single, standardized process not only supported learning, but also:

  • Lowered operational risk
  • Clarified expectations, and
  • Centralized the process, freeing up local teams.

From the employee side, the team was pleased to see that employees chose to engage with optional resources. Moreover, they consistently described the process as clear and helpful.

Clear, defensible compliance evidence

Beyond improving the experience for employees and teams, the redesigned program also offered:
New insight into security attitudes and learning, not just pass/fail rates
The ability to demonstrate true compliance, not just “training was sent”
Evidence of a multi-faceted approach combining practice, feedback and follow-up

Most importantly, the program shifted from feeling like a compliance exercise to something employees experienced as genuine learning – while giving leaders the visibility and confidence they needed.

Why this matters

In high-risk, highly regulated environments, learning only creates value when it’s embedded in the system people operate within.

This project shows how redesigning processes, learning, and measurement together can influence behavior change at scale – even when tools, time, and budgets are constrained.

A note for leaders facing similar challenges

If you’re responsible for learning, security, or compliance and feel stuck between:

  • “people aren’t changing behavior,” and
  • “we don’t have the time or tools to fix this,”

Then let’s talk! There’s often more opportunities to improve than it first appears.