Case study · Security awareness · Hybrid workforce

Report it,
don't delete it.

Most awareness training chases compliance and ignores the one act that actually protects a company: reporting. CyberSafe Remote gives 5,000 hybrid employees a single, portable detection routine — the 5-Flag Scan — and rebuilds the culture around reporting fast, not deleting quietly.

The behavior it moves Delete itReport it in under 30 minutes
Role
Design, build
& measurement
Client
Northwind
Technologies (fictional)
Audience
5,000 employees
4 regions
Format
Rise 360 + Storyline
~45 min · xAPI
Spine
Recognize →
Respond → Report
rise.articulate.com · CyberSafe Remote — Module 2 · Recognizing Phishing Emails
CyberSafe Remote in Rise 360 — the Recognizing Phishing Emails interaction: a mock inbox with a look-alike Microsoft security alert open for teardown.
01.
The challenge

Attackers followed the workforce home

Northwind Technologies finished its move to permanent hybrid work in 2024. The flexibility that improved retention also dissolved the network perimeter security was built around — people now sign in from kitchens, cafés, and airports, route work through more SaaS tools, and reach for public AI assistants.

The tooling gap wasn't the problem. The human layer was. A baseline drawn from SIEM data, the phishing-simulation platform, the service desk, and a 1,820-person survey showed the real exposure: people delete suspicious mail instead of reporting it, and when they do report, it's hours too late.

19.4%
simulated phishing click-through rate
Baseline
11%
of simulated lures actually reported
Baseline
9.2h
median time to report a suspicious email
Baseline
$2.4M
modeled awareness-preventable annual loss exposure
Baseline
Representative incident · "The Tuesday BEC"

A Finance analyst working from home received a polished email appearing to come from the CFO, referencing a real, publicly announced acquisition and demanding an urgent wire to "close escrow." Away from the usual in-office cues, the analyst replied and began processing a $310,000 transfer. A second approver caught the mismatch 70 minutes later; funds were recalled, but the attempt consumed 40+ staff-hours and a Legal review.

Why it matters: no malware was involved. The control that failed was human judgment under time pressure — exactly what CyberSafe Remote is built to strengthen.

02.
Who it's for

One workforce, six very different risks

Fluency ranges from low to high, so nothing is gated behind jargon. Role-tagged scenarios put each persona in a situation they actually face — and lean on intrinsic drivers (protect customers and teammates) rather than fear.

Engineering · Priya

High fluency, low patience

ContextHome; AI coding tools, many SaaS logins
DriverVelocity — dislikes friction
Soft spotSees security as a tax on speed; over-confident
Sales · Marcus

Always on a public network

ContextTravel, hotels, airports, public Wi-Fi
DriverHitting quota; mobile-first
Soft spotTime-pressured; high network exposure
Finance

The wire-fraud target

ContextHybrid; handles payments & PII
DriverAccuracy; following process
Soft spotPrime BEC target; urgency cues
People Ops

Trained to be helpful

ContextMostly remote; HRIS, sensitive records
DriverHelping colleagues; responsiveness
Soft spotHelpfulness is a social-engineering opening
People Manager

A high-value "whale"

ContextHybrid; broad system access
DriverTeam outcomes; modeling norms
Soft spotTime-poor; targeted by whaling
Early career

Reluctant to push back

ContextRemote-first; digital native
DriverBelonging; proving themselves
Soft spotHesitant to question a senior "request"
03.
The behavior shift

One loop, one 30-second scan

Every threat type — phishing, vishing, smishing, quishing, an unexpected MFA prompt — gets routed through one memorable loop. It's the spine the whole program hangs on, named identically in every lesson, job aid, and scenario.

RecognizeRespondReport
The 5-Flag Scan
For any message asking you to click, log in, or pay — run this in under 30 seconds. Two or more flags means treat it as phishing and report.
01Sender — is it really who it claims?verify
02Pressure — urgency, threats, secrecyslow down
03Links — hover before you trustinspect
04Request — money, credentials, dataquestion
05Gut — does anything feel off?report
rise.articulate.com · CyberSafe Remote — Module 1 · Meet the 5-Flag Scan
CyberSafe Remote in Rise 360 — the Why Security Habits Matter intro leading into the Meet the 5-Flag Scan flashcard section.
The 5-Flag Scan, introduced in-course as a flashcard set
04.
The build

Six modules, then a day you actually have to survive

Modules move from why → the highest-frequency threat → the highest-impact control → environment → the fastest-growing risk → synthesis. Every lesson follows one rhythm: Hook → Why it matters → How it works → Do this → Check.

1The New Threat LandscapeMake the hybrid attack surface personal — how attackers think now.7 min
2Phishing & Social EngineeringDetect lures across email, voice, SMS & QR; report, don't delete.12 min
3Identity & AccessPasswords, passkeys, managers; defeat MFA fatigue / push-bombing.8 min
4Securing the Hybrid WorkspaceHarden home & public networks, travel, and physical device hygiene.7 min
5Safe & Smart AI UseApply clear data rules to every AI tool — anonymize or use approved tools.7 min
6When Things Go WrongCement Recognize → Respond → Report; lock in five daily habits.6 min
13 lessons 6 interactive activities 3 embedded scenarios 18-item final assessment 1-page job aid 12-min Storyline branching day Manager reinforcement kit Phased comms plan
The reinforcement spine

The course is the start, not the finish. A no-blame promise — "report early, we'll never blame you for being careful" — directly attacks the fear behind the 9.2-hour delay. A 12-minute Storyline day drops learners into three live decisions (a CFO wire request, an unexpected MFA prompt, an AI-paste temptation) where partial choices still add up to a breach. Then spaced nudges, ongoing phishing simulations, and manager 1:1s repeat the key behaviors across a 12-month window to beat the forgetting curve.

05.
Design decisions

What makes it expert work, not a slide deck

i

Reporting is the product

The whole program is engineered around one observable act — reporting fast — because that's the behavior that protects all 5,000 people, not just the one who spotted the lure.

Anchored in Kirkpatrick L3
ii

Psychological safety, by design

The no-blame promise is repeated deliberately. The 9.2-hour delay isn't an awareness gap — it's a fear gap, and you close it by making reporting feel safe, even after a click.

Fogg model · motivation × ability × prompt
iii

Practice over exposure

Reading rules builds recognition; making decisions under pressure builds judgment. The Storyline day lets people feel a consequence in a safe space, which is where durable behavior actually forms.

Learning by doing · scenario design
iv

One consistent system

Format, philosophy, and the single-behavior spine are shared with the New Manager Accelerator and AI Adoption work — so the portfolio reads as a practice with a point of view, not a pile of samples.

Common language · transfer
06.
Modeled outcomes

Designed to move the number, mapped to Kirkpatrick

Success is read as a change in behavior, not a completion percentage. Every objective begins with an observable verb and ties to a metric, so "did it work?" is answered with data — instrumented through xAPI, the phishing-simulation platform, and IR records.

L1 · Reaction
"This is my real day"
Role-tagged scenarios, not generic compliance theater.
L2 · Learning
Run the 5-Flag Scan
Spot 4 of 5 flags in 30 seconds; know exactly how to report.
L3 · Behavior
Report, don't delete
Recognize → Respond → Report becomes the default reflex.
L4 · Results
Lower loss exposure
Fewer credential incidents; a measurably smaller human attack surface.
19.4% → <5%
simulated phishing click-through rate
11% → >65%
threat-reporting rate
9.2h → <30m
median time-to-report
↓40%
credential-related incidents · 12 months

Figures are illustrative of the program's design intent — a fictional baseline and modeled 12-month targets for a portfolio case study, not results from a live deployment. Framing modeled outcomes honestly is part of the craft.

07.
Reflection

What I'd build next

The program proves the behavior and the system. A second release would deepen it without diluting the spine.

  • Adaptive simulation difficulty. Phishing sims that escalate as a team's report rate climbs — keeping the muscle under load.
  • A role-branched Storyline. Finance sees wires, Engineering sees code-paste, Sales sees public Wi-Fi — the same day, tuned to the threat each persona truly faces.
  • A manager scoreboard. Team-level report-rate and time-to-report dashboards, so reinforcement has something concrete to coach toward.
  • The portable lesson. Security culture is a behavior-design problem — and the smallest unit that carries it is "report fast, no blame."
Want the full package?

Move a number
that matters.

The complete CyberSafe Remote program — Rise course, Storyline scenario, job aid, manager kit, comms plan, and evaluation strategy — is available to walk through on request.

© 2026 Rachel Masson rachelsmasson@gmail.com LinkedIn rachelmasson.com CyberSafe Remote · Fictional portfolio artifact · Northwind Technologies