FREQUENTLY ASKED QUESTIONS (FAQ’s)

What makes Beauceron Security different from traditional awareness training? 

Traditional awareness training often focuses on compliance checkboxes and one-off knowledge delivery. Beauceron instead focuses on Security Behavior and Culture Programs (SBCPs), which combine psychology, neuroscience, and behavioral science to motivate people to act securely, not just know what to do. 

What is the 'sheepdog effect'? 

Beauceron’s philosophy is built on the sheepdog effect: turning employees from potential 'sheep' targeted by cybercriminals into sheepdogs guarding the flock. This means fostering awareness, providing education, and most importantly, motivating employees to take action. 

Why are anti-phishing programs still needed? 

Despite billions invested in cybersecurity technology, 1 in 5 phishing emails still bypass filters and reach inboxes. Poorly executed programs deliver little impact, but well-designed programs reduce click rates, increase reporting accuracy, and strengthen overall resilience. The goal is not 0% clicks, but a sustainable 2–5% click rate with higher reporting accuracy. 

What behaviors most reduce cyber risk? 

Beauceron’s research shows: 

  • People who believe they play an important role in security are 50% less likely to click phishing emails. 

  • Employees who think security tools 'do all the work' are 140% more likely to click. 

  • Strong leadership alignment and visible cultural support result in 13% lower click rates and 17% higher report rates. 

How much training is enough? 

Too much training can backfire. Data shows 30–35 minutes per year (spread quarterly) delivers the best results. More than an hour per year can cause frustration or overconfidence. Training every 90 days, supported by short, targeted microlearning, is the optimal cadence. 

What is the Post-Click Report Rate (PCRR) and why does it matter? 

PCRR measures how often someone reports a phishing email after clicking it. This is critical because reporting quickly can prevent a small mistake from becoming a major incident. 

  • Industry average: ~10% 

  • Beauceron clients: ~15% 

  • Best performers: 25%+ 

How does Beauceron measure security culture? 

Beauceron uses the Security Culture Score, which combines: 

  • Knowledge: Do employees understand risks? 

  • Attitude: Do they believe their actions matter? 

  • Behavior: Are they acting securely? 

  • Organizational maturity: Are anti-phishing, awareness, and reward/consequence programs effective? 

What role does AI play in cybersecurity awareness? 

Beauceron integrates AI to: 

  • Automatically triage reported emails. 

  • Provide real-time feedback to employees. 

  • Identify risky trends and reduce manual workload. 

AI-driven feedback loops are shown to reduce click rates by 40% and increase report rates by 55%. 

What rewards and consequences models work best? 

Gamification and positive reinforcement are powerful. Beauceron’s data shows: 

  • Organizations running competitions see 76% higher report rates and 33% lower click rates. 

  • Multi-stage remediation (progressive, fair consequences) reduces repeat clickers by 24%. 

  • The key is fairness, transparency, and avoiding 'security scolding' — corrective feedback should build confidence, not fear. 

What phishing tactics were most successful in 2024? 

The 2025 Report shows that HR and internal communication-themed phishes were most effective: 

  • Performance review (SharePoint link): 16.6% click rate. 

  • File share from manager: ~14.5% click rate. 

  • LinkedIn recruiter messages had high clicks but very low reporting, making them particularly stealthy. 

These rely on persuasion tactics like trust, authority, urgency, reciprocity, and social proof. 

How often should phishing simulations run? 

Data shows: 

  • Quarterly or annual campaigns result in up to 40% higher click risk. 

  • Monthly phishing is optimal. 

  • More than monthly risks 'security fatigue' and reduces reporting by 13%. 

What future threats should organizations prepare for? 

Beauceron predicts that in 2025: 

  • Generative AI will dramatically scale phishing attacks and deepfakes. 

  • Prompt engineering of AI assistants will introduce new vulnerabilities. 

  • Industry specialization in attacks will grow — if one company in a sector is hit, peers are at greater risk. 

What’s Beauceron’s final message to organizations? 

Technology alone won’t solve cybersecurity. People are the best defense, but only if motivated, supported, and given meaningful ways to contribute. A well-designed SBCP turns security from a burden into a shared cultural strength.