Why preventing phishing is so difficult, and what we can do about it
Michael Joyce
NorthSec 2025 · Day 2 · Ville-Marie
Michael Joyce, Executive Director of the Human-Centric Cybersecurity Partnership (HC2P) and a PhD researcher at the Université de Montréal, presents findings from one of Canada's largest independent phishing behavior studies — covering over a quarter of a million phishing simulations across more than 700 organizations. The core argument: security professionals are systematically unqualified to make intuitive judgments about how ordinary users behave, and the dominant frameworks for addressing phishing (awareness training, technology controls, individual accountability) are grounded in faulty assumptions about human cognition. The data tells a more nuanced story, and the solutions it suggests are less intuitive than the industry typically accepts. ---
AI review
HC2P researcher presents findings from 250,000+ phishing simulations across 700+ Canadian organizations, applies cognitive science frameworks to explain why awareness training underperforms, and proposes a hierarchy-of-controls approach to phishing defense.