Trick 1: Three Anomalous Behavior Categories Are Mutually Exclusive
Risky = dangerous action (modifying hosts file, replacing OS files, exfiltrating data). Unexpected = normal action in abnormal context (login from wrong country, data transfer at wrong time). Unintentional = accident with good intent (wrong domain typed, misplaced USB, accidental misconfiguration).
Trick 2: Phishing Click Rate Measures Susceptibility, Not Punishment
Internal phishing campaigns exist to measure susceptibility (the click rate) and provide immediate targeted training. They are not a disciplinary tool. An employee who clicks a simulated phishing link is susceptible, not an insider threat or a bad actor.
Trick 3: Unintentional Behavior Can Be Just as Damaging as Intentional
Security incidents caused by accidents (unintentional behavior) are just as real as incidents caused by malicious intent. A user who accidentally clicks a phishing link causes the same breach as one who does it knowingly. Training must address all three categories.
Trick 4: Metrics Enable Proof, Not Just Monitoring
Security awareness metrics (phishing click rate, MFA adoption, password manager adoption, password sharing incidents) serve two purposes: (1) identifying training gaps that need attention, and (2) demonstrating program value to stakeholders who must approve continued investment.