LeonB, I appreciate this discourse and let me explain why I see maturity as a factor here.
Let's assume that phishing is a real threat, and testing like this moves the needle on people's vigilance (as it has for me when I failed something like it last year.) Let's also assume that if this was a real phish, there would be really bad emotional and financial consequences. EG: imagine being the one who fell for a real phish and actually caused a huge data leak that ended up in the news and put your company out of business.
Regardless of how we feel about it, the above threats are real. So we can either chose to be "nice" but increase people's vulnerability to real painful consequences , or we can chose to be "tough" because we realize that in the long run it creates greater actual security for everyone. To me that's "tough love" - harsher short term decisions to help everyone in the long run.
It indeed feels adult and mature to take the tough and unpopular decision that aims to address the real risk, and conversely irresponsible to say "we can't deal with the problem because it'll be unpopular and someone may get upset."
There's maturity on the flip side too. When I failed the phishing test, it was a wakeup call. In retrospect I should have caught it but I wasn't careful enough. So I am grateful the company did it because it taught me a valuable lesson that will keep me safer in the future. If my response was instead "those fuckers tricked me" or whatever, it would have been childish, because it ignores that the risk is real and that it's really I who has the power to do better.
Let's assume that phishing is a real threat, and testing like this moves the needle on people's vigilance (as it has for me when I failed something like it last year.) Let's also assume that if this was a real phish, there would be really bad emotional and financial consequences. EG: imagine being the one who fell for a real phish and actually caused a huge data leak that ended up in the news and put your company out of business.
Regardless of how we feel about it, the above threats are real. So we can either chose to be "nice" but increase people's vulnerability to real painful consequences , or we can chose to be "tough" because we realize that in the long run it creates greater actual security for everyone. To me that's "tough love" - harsher short term decisions to help everyone in the long run.
It indeed feels adult and mature to take the tough and unpopular decision that aims to address the real risk, and conversely irresponsible to say "we can't deal with the problem because it'll be unpopular and someone may get upset."
There's maturity on the flip side too. When I failed the phishing test, it was a wakeup call. In retrospect I should have caught it but I wasn't careful enough. So I am grateful the company did it because it taught me a valuable lesson that will keep me safer in the future. If my response was instead "those fuckers tricked me" or whatever, it would have been childish, because it ignores that the risk is real and that it's really I who has the power to do better.