What Are the Best Methods to Test Employee Cybersecurity Awareness?

How Coaching Experiences Can Improve Employee Cybersecurity Awareness

If you’ve ever volunteered to coach youth sports —  especially T-ball — you’ve probably learned as much as the kids about teaching and training someone to perform an activity. The first lesson of T-ball: If you give a kid a bat, they will swing the bat no matter who or what is in the area.

The second lesson: Coaching is all about repetition. When I helped coach a T-ball team, our first day of practice involved running to first base and coaching the kids to listen to the first base coach. We spent a lot of time on the fundamentals of baseball.

When all is said and done, the purpose of T-ball is to provide the kids with a basic knowledge of the game, awareness of what to do when the ball is hit (run to first base), and, above all else, to have fun.

The goal of employee cybersecurity awareness training should be similar to coaching T-ball. As information security professionals, we should understand that the audience is not full of security experts, and we need to provide basic knowledge and appropriate action to take when faced with an incident.

We also need to test the effectiveness of the training program continuously. Unlike T-ball, however, we need to keep score — not to shame an employee but to measure our coaching.

If you give a user technology, you should expect them to misuse it, either intentionally or unintentionally. Cybersecurity awareness training should cover basic information security principles and response steps to social engineering and phishing, the two most common causes of data loss and breaches. Verifying that employees have retained this information and will deploy their training in the future is the key to a successful employee security awareness program.

Top 10 Cybersecurity Testing Methods to Boost Employee Awareness

1. Cybersecurity Quizzes

Administering a quiz after a cybersecurity awareness training session is a common testing approach, but quizzes are ineffective if using a one-and-done approach. Remember, coaching is repetition.

Random web-based quizzes throughout the year may provide a better measurement unless employees share answers. When asked which base to run to, a player can say “first base,” but the coaching can only be measured when the player is standing on first base.

2. Workplace Security Reviews

Employees can become desensitized to confidential information in the work area, especially when working with such information daily. Regular workplace reviews are a great way to test your clean desk policy and physical security measures. It is surprising how much sensitive information can be discovered simply by walking around the office. These work area checks may be performed during or after business hours.

Consider the following questions during your review:

• Are desk drawers and filing cabinets with confidential information locked?
• Are sticky notes with confidential information in plain sight?
• Are passwords written down and stored under keyboards or behind monitors?
• Are desktops left logged in and unattended?
• Are vault combinations kept in unlocked desk drawers?
• Can you fish documents from a shred container?

Taking pictures of any security violations is the best form of evidence. Share the results of your physical checks during your next cybersecurity awareness training session to reinforce the importance of secure practices.

3. Dumpster Diving

The adage goes: “One man’s trash is another man’s treasure.” Dumpster diving can be a treasure trove of information for anyone looking to carry out a successful social engineering attack. Rather than wait for outsiders to find all the information your employees are throwing away, you can perform your own dumpster diving tests to identify vulnerabilities.

A pair of latex gloves is always recommended for this test. One of the best methods to perform this test is to follow the cleaning crew around after business hours and observe what information is being disposed of as ordinary garbage (not in shred bins where confidential information should be placed).

Some of the most common ways employees inadvertently dispose of confidential information is via sticky notes or scratch paper with account numbers or Social Security numbers. Do you like jigsaw puzzles? You may find confidential information that has been hand-shredded (torn, not properly shredded). Discarded mail or envelopes with customer return addresses can also expose valuable details that attackers could leverage.

Ask yourself these questions to assess the effectiveness of your organization’s disposal practices:

• Are shred bins easily accessible and regularly used?
• Do employees understand the risks of discarding customer or organizational data in regular trash?
• Are procedures in place to audit or monitor how sensitive information is disposed of?

4. Pretext Phone Calls

In larger organizations, pretext phone calls may be performed by an internal resource who isn’t well-known or by an outsourced auditor or consultant. The tester can perform the test via the phone (voice/text) or internet (email/chat), posing as a customer, vendor, or business partner who is requesting confidential information or login credentials.

The tester must have a convincing cover story to explain why the information or login credentials are needed. When impersonating a person or company, testers often use popular spoofing tools to display local area codes, phone numbers, and alias names.

Ask yourself the following questions to assess your organization's procedures:

• Do you have procedures for validating a customer’s identity?
• Do staff follow these procedures?
• Do you solely rely on caller ID technology for customer verification?

5. Physical Penetration Testing

We have all seen physical impersonation attacks in the movies where the correct uniform and identification badge grant easy access into a restricted area. In reality, we have all likely performed this test once in our lives without even realizing it.

For example, when I go to the gym, the attendant is supposed to swipe my card to grant and track my access. However, if I have my earbuds in and stare at my phone, I can walk by unchallenged. I look like I belong at the gym, so why inconvenience me?

You wouldn’t intentionally let just anyone into your facility and look the other way as they steal your confidential customer information, right? Be intentional about escorting unknown or unannounced guests around your premises and restrict access to noncustomer areas of your business.

Consider the following questions to assess your organization's physical security procedures:

• If a tester appears to belong at your organization, will your staff challenge their identity?
• Do you have procedures in place for challenging and verifying unfamiliar individuals?

6. USB Flash Drive Drop Attacks

Another way to test your cybersecurity awareness training is to bait employees with a “lost” USB (Universal Serial Bus) flash drive. Vigilance against these attacks is vital, as a Mandiant report found that infected USB drive drop attacks tripled worldwide in the first half of 2023.

Think about the following questions to evaluate your organization's response:

• Will your employees take the bait? 
• How many employees will call IT? 
• How many will plug the device into a company workstation?

7. Phishing Attack Simulations

One of the best ways to determine whether your employees are aware of the threat posed by a phishing attack is to perform a controlled test (simulated attack) of their emails. 

Test emails should provide some clues covered in security awareness training that should tip the recipient of the deception. Directing the recipient to a website link will allow the tester to gather evidence of who opened the email and who followed the link. 

Such testing may be performed by skilled staff or by a third-party provider and should be conducted throughout the year to maintain employee awareness.

When it comes to phishing email testing, remember three things:

• Phishing is the most common way attackers get into networks — it’s cheap and easy, and everyone uses email.
• The goal is to educate and train your employees, not to be as deceptive as possible or to see how many clicks you can get.
• If your people are your biggest security weakness, you should test your biggest security weakness most frequently, not least frequently.

8. Pig Butchering

Pig butchering scams involve fraudsters building trust over weeks or months, often posing as financial advisors, industry peers, or romantic partners. They gradually persuade victims — including bank employees — to invest in fake opportunities like cryptocurrency. Once funds are transferred, the scammer disappears.

Bank employees may be targeted with offers of high-return investments or pressured to transfer personal funds under the guise of urgency or confidentiality.

In one case, Shan Hanes, a former Kansas bank CEO, was lured into such a scheme and ultimately embezzled millions from his own institution to fund what he believed were legitimate investments. His story highlights how even seasoned professionals can fall victim when trust is manipulated.

Run simulations where employees are approached by scammers posing as trusted contacts. Test their ability to recognize red flags and follow verification protocols.

Use these questions to assess the effectiveness of your organization's safeguards:

• Are employees aware of how pig butchering scams could target them?
• Do they follow procedures to verify investment opportunities or suspicious financial requests?
• Is there a clear process for reporting potential scams?

9. Deepfakes

Deepfakes are highly convincing, AI-generated videos or audio that impersonate real individuals — such as executives, colleagues, or trusted business partners — to deceive victims into transferring funds or sharing sensitive information. These scams are increasingly targeting not just customers but also employees within organizations. Bank employees, in particular, must stay vigilant for unusual or high-stakes requests that appear to come from senior management or trusted partners.

The threat is serious: In 2024, fraudsters used a deepfake of the CFO of British engineering firm Arup to conduct a video conference with staff. Believing they were speaking with their real CFO and other company executives, employees were persuaded to transfer $25 million to accounts in Hong Kong. This incident underscores how even trained professionals can be duped by sophisticated deepfake technology.

Conduct simulations where employees receive fraudulent requests via deepfake video or audio, mimicking senior executives or high-value clients. Assess their ability to spot inconsistencies, verify the request, and escalate the matter appropriately.

Evaluate your organization's approach with the following questions:

• Are employees aware of the risks posed by deepfakes impersonating senior leadership or key clients?
• Do they know how to verify requests through alternative channels, such as calling the individual directly?
• Is there a clear protocol for escalating and reporting suspicious requests, even if they appear to come from trusted sources?

10. Prepaid Card Scams

In prepaid card scams, cybercriminals pressure victims to buy prepaid or gift cards to pay off supposed debts, fees, or urgent bills. Scammers often create a sense of panic, telling the victim to act quickly to avoid severe consequences.

Bank employees can help protect customers by staying alert to key warning signs. These include customers who are on the phone during transactions, those withdrawing large sums for prepaid or gift cards, or those mentioning urgent debts, government fees, or penalties requiring payment through gift cards.

Conduct training exercises where employees encounter scenarios involving distressed customers planning unusual transactions for prepaid cards. Gauge whether employees recognize red flags and know how to provide guidance.

Review these considerations to determine your organization’s preparedness:

• Are employees trained to recognize the urgency and unusual requests associated with prepaid card scams?
• Do employees know the appropriate steps to take if they suspect a customer may be under the influence of a scam?
• Are there procedures in place to escalate and report suspected fraud?

How to Measure the Effectiveness of Your Cybersecurity Testing

Document your findings and share the testing results with the management team. Use generic terms, such as passwords written down and stored within sight or confidential information stored in unlocked desk drawers after hours.

Avoid using employee names in written reports, but be prepared to offer details when management asks. Remember that the goal is not to demean an employee but to improve the organization’s cybersecurity awareness. The risk of social engineering attacks can never be 100%  mitigated, but you should strive to improve the results (fewer violations) each year.

Employees should be informed that such testing may occur at random. Regardless of the testing method, the testing results should be shared with employees to emphasize the fundamentals of the test that should have raised a red flag and the actions that users should have taken.

To measure the success and limitations of a security awareness training program, consider tracking the following:

• The number and type of security violations found during workplace reviews.
• The number of instances of confidential information found in trash containers.
• The number of employees who did or did not provide confidential information to testers via the phone or email.
• The number of times physical impersonation testers were allowed access to restricted areas.
• The number of times testers are challenged during a physical impersonation test.
• The number of employees who leak sensitive data (e.g., provide a username/password).
• The number of employees who reported a phishing email.
• The number of employees who clicked on phishing tests.
• The number of employees who flagged suspicious activity related to potential pig butchering or prepaid card scams.
• The number of instances where employees detected signs of deepfake scams.

Employee security awareness and testing methodologies must continue to evolve with attack methods, and the best way to provide evidence of progress is to monitor performance through observation testing.