It might be a realistic scenario and thus a "good" test. It still is a total dick move to do this as an employer. Some things you just should not do to your employees. There are a million other fishing scenarios that are realistic where you don't have to be promised money by your employer.
I think the correct course of action would have been to actually award out the amount promised to everyone completely separate from their action or inaction on the phishing email. It would have gone over a lot better if they had done this.
There are more humane ways to train an army than to make them think of situations where someone is trying to kill them, but... if that comes at the expense of worse training (and therefore actual higher likelihood of death) then it doesn't do anyone favors.
The fact that so many people fell for this test means there's something (obviously!) around this scenario that makes it particularly sensitive and mistake-prone for people. Your IT department may chose to avoid it, but people trying to phish you, won't.
True story, but I’m not making a point here, or trying to disagree with you. Just something that happened to me once:
I was leaving a hotel near the airport in Delhi, and as were waiting outside for an Uber the manager of the hotel told us not to be alarmed if we saw some guys with guns running towards the hotel. Told us the police were running a terrorism scenario to see how the local hotels would react, and whether they would follow the plan for such an event. The guns would be unloaded, but everything else would seem realistic. The manager and the outside security knew about it (because they had to let the “terrorists” into the hotel) but no other staff or guests had been warned. We were only told because we were outside and might see them coming and he didn’t want us to give the game away.
Fortunately our Uber arrived before the “terrorists”. It’s possible the manager was just fucking with us, and none of it happened, but it didn’t seem like it and if he was that’s a pretty messed-up thing to do, too. It occurred to us that if they were actual terrorists he might be in cahoots and making sure they got into the building.
He also told us how in a real event he told his outside security guys to run away, they couldn’t stop terrorists anyway, and there was no point getting themselves killed.
Thank you for your service. Hopefully you can appreciate the tradeoff between mental/emotional discomfort and an actual problem that was the point of my analogy.
If we're arguing analogies, OK. Does your company ever have fire drills? What if the first sound of the alarm freaks someone out? What if people find it annoying/idiotic/morale reducing to walk down the fire stairs?
At some point you just say "look, we need to make sure our people are trained, if people think fire drills are stupid or upsetting, we have to take that hit because the alternative is worse."
OF COURSE! We're not talking about prioritizing the company over people. We're talking about training people not to fall for what they could discern as a phish if they took a sec.
It hasn't trained people not to fall for a phishing email.
It's trained them not to believe their company when they offer a bonus.
Which might stop the same email from working tomorrow, but not the one saying "This needs to be filled out by Friday!" or "Class action settlement against GoDaddy over fake bonuses"
But that is not how people are normally trained. Normally people are trained in safe conditions where participants know they are in a training session.
You put people in unnecessary danger by putting them in an unpredictable situation. That is why training sessions are varied and thoroughly debriefed so that participants can know how what they learned in the current session can be applied at different settings.
Source, anecdotal: I’m a former life guard that had regular drills, and never entered one unknowingly.
