There’s a problem with the way we currently approach cybersecurity training. Simply put, it’s shame based. Most of the time, training is designed to catch people making mistakes, and to sound the alarm when they trip up. From a psychological perspective, this isn’t an effective training methodology. It creates more mistrust, drives little positive behavioral change, and can be an isolating experience for those participating. “Embarrassment rarely accomplishes anything positive, and from a security perspective, has been thoroughly discredited. Phishing simulations and other ‘Gotcha!’ security training attacks are an example of shame culture. Experience has taught us that attacking our employees doesn’t increase cyber-resilience as much as it positions the internal IT teams negatively in the eyes of the organization’s employees, making it more challenging to get people on board with strategic initiatives,” Sai Venkataraman, CEO at SecurityAdvisor says. Instead, cybersecurity training should be tailored to a more supportive model, one where education is prioritized and punishment and ridicule are removed entirely.