August 28, 2025

CyberHoot's Craig Taylor on Why Fear-Based Phishing Training Fails

32 minutes

Psychology beats punishment when building human firewalls. Craig Taylor, CEO & Co-founder of CyberHoot, brings 30 years of cybersecurity experience and a psychology background to challenge the industry's fear-based training approach. His methodology replaces "gotcha" phishing simulations with positive reinforcement systems that teach users to identify threats through skill-building rather than intimidation.

Craig also touches on how cybersecurity is only 25 years old compared to other fields, like medicine's centuries of development, leading to significant industry mistakes. NIST's 2003 password requirements, for example, were completely wrong and took 14 years to officially retract. Craig's multidisciplinary approach combines psychology with security practice, recognizing that the industry's single-focus mindset contributed to these fundamental errors that organizations are still correcting today.

Topics discussed:

Replacing fear-based phishing training with positive reinforcement systems that teach threat identification through skill-building.

Implementing seven-point email evaluation frameworks covering sender domain verification, emotional manipulation detection, and alternative communication verification protocols.

Developing 3- to 5-minute gamified training modules that reward correct threat identification across specific categories.

Correcting cybersecurity industry misconceptions through multidisciplinary approaches.

Evaluating emerging security technologies like passkeys through industry backing analysis.

Building human firewall capabilities through psychological understanding of manipulation tactics.

Implementing pause-and-verify protocols to confirm unusual requests that pass technical email verification checks.

Key Takeaways:

Replace punishment-based phishing simulations with positive reinforcement training that rewards users for correctly identifying threat indicators.

Implement gamified security training modules instead of lengthy video sessions to maintain user engagement.

Establish pause-and-verify protocols requiring alternative communication channels to confirm unusual requests that pass technical email verification checks.

Evaluate emerging security technologies by examining industry backing and major sponsor adoption before incorporating them into training programs.

Calibrate reward systems to provide minimal incentives (like monthly lunch gift cards) that drive engagement without creating external dependency.

Train users to identify the seven key phishing indicators: sender domain accuracy, suspicious subject lines, inappropriate greetings, poor grammar, external links, questionable attachments, and emotional urgency tactics.

Build internal locus of control in security training by focusing on skill mastery rather than fear-based compliance, ensuring users understand why security practices protect them personally.

Deploy fully automated security training systems that eliminate administrative overhead while maintaining month-to-month flexibility and offering discounts to educational and nonprofit organizations.

Listen to more episodes:

Apple

Spotify

YouTube

Website

...more

View all episodes

By Team Cymru

4.5

1111 ratings