Lesson 5.1

The Security Champion Checklist

10 minutes

Here’s a paradox about security training.

KnowBe4 analyzed 67.7 million phishing simulations across 14.5 million users and found that after 12 months of regular training, phishing click rates dropped by 86%. That sounds impressive. But a UC San Diego study — published at the IEEE Symposium on Security and Privacy in 2025 — ran an 8-month randomized controlled experiment with over 19,500 employees and found that embedded phishing training reduced click likelihood by only 2%.

The UC San Diego numbers are sobering. 75% of users engaged with the training materials for one minute or less. More employees fell for phishing as time went on — 10% clicked in month 1, but over 50% clicked on at least one phishing email by month 8. The researchers concluded: “No significant relationship between recent completion of cybersecurity training and phishing susceptibility.”

The takeaway isn’t that training is useless. It’s that knowledge alone doesn’t change behavior. You can know everything about phishing and still click a link at 4:55 PM on a Friday when you’re tired and the email looks legitimate.

What changes behavior is habits — automatic responses that fire before your conscious mind engages. A Security Champion doesn’t know more than everyone else. They have better automatic responses.

What a Security Champion does

A Security Champion isn’t an IT security expert. You’re the person on your team who:

  • Pauses before clicking and encourages others to do the same
  • Knows how to verify and can walk a colleague through it when they get a suspicious message
  • Follows the process for sensitive actions — payments, credentials, data sharing — even when it feels unnecessary
  • Reports without hesitation and without embarrassment
  • Doesn’t cry wolf — calibrated judgment, not blanket suspicion. Flagging everything wastes the security team’s time and erodes trust in the reporting system.

The four-question checklist

When you encounter any message — email, text, Slack, Teams, phone call, calendar invite — that asks you to take action, run through these four questions:

1. WHO sent this?

  • Do I know this person?
  • Is this their normal communication channel?
  • Does anything about their account or address look different from usual?

Worked example: You receive an email from your regular vendor, but the email address is [email protected] instead of the @summitconsultinggroup.com you’ve seen before. The WHO doesn’t match. That’s enough to trigger verification — call them at a known number before processing anything.

2. WHAT are they asking me to do?

  • Enter my password somewhere?
  • Send money or change payment details?
  • Open a file or click a link?
  • Share sensitive information?
  • Move to a different communication channel?

Worked example: Your “CEO” emails asking you to text them at a personal number about a confidential matter. The WHAT is a channel change — moving from corporate email (monitored) to personal text (invisible). The channel change itself IS the red flag, regardless of who appears to be asking.

3. WHY now?

  • Is there unusual urgency?
  • Does the timing feel manufactured? (Friday afternoon, before a holiday, end of quarter)
  • Is there a threat or consequence for not acting immediately?

Worked example: An email says “Your account will be locked in 2 hours if you don’t verify your identity.” The WHY creates artificial time pressure. Legitimate account issues don’t materialize with two-hour deadlines. And even if they did — you can verify in 5 minutes, well within any real deadline.

4. DOES IT MAKE SENSE?

  • Would this person normally make this request?
  • Would they normally make it through this channel?
  • Does the request match what I know about our company’s processes?

Worked example: You receive an email from HR asking you to reply with your password so they can “verify your account.” HR never asks for passwords. They use an HR portal. The request doesn’t match any known process. DOES IT MAKE SENSE: no.

The trigger

If ANY answer feels wrong — verify. Through a separate channel. Using contact information you already have. Not information from the suspicious message.

You don’t need all four answers to be wrong. One is enough. One feeling of “that’s unusual” is enough to pick up the phone and make a 30-second verification call.

The calibration principle

Security Champions aren’t paranoid about everything. They’re accurate.

There’s a real cost to treating every message as a potential attack. If you flag every legitimate email as phishing, you waste your security team’s time on false alarms while they could be investigating real threats. If you refuse to click any link ever, you can’t do your job. If you call to verify every routine email, your colleagues will stop taking your calls.

The goal is heightened scrutiny for high-risk actions — anything involving money, passwords, sensitive data, or channel changes — combined with reasonable trust for routine business communication that checks out.

Being a Security Champion means making accurate calls, not paranoid ones. The person who correctly identifies three real threats is more valuable than the person who flags 50 legitimate emails.

What makes habits stick

Knowing the checklist isn’t enough. You need it to become automatic. Here’s how:

The 5-second pause

When urgency hits — when an email says “act now” or a phone call says “don’t hang up” — take one breath before acting. Five seconds. That’s enough time for your analytical brain to engage and run the checklist. Every attack depends on you acting before thinking. A five-second pause defeats most of them.

Phone call muscle memory

Don’t save verification calls for when something feels suspicious. Make them routinely. Call to confirm vendor changes, payment details, and unusual requests as a matter of course. When it’s a habit, you won’t hesitate when it matters most.

Report without shame

“I wasn’t sure, so I’m reporting it” is always the right call. Security teams would rather investigate 100 false alarms than miss one real attack. The person who reports a false alarm is still more helpful than the person who stays silent about something real because they were embarrassed.

If your organization punishes people for reporting or makes them feel stupid for falling for phishing, that’s a cultural problem — not your fault. A healthy security culture treats reports as a signal that the system is working.

The Rule: WHO, WHAT, WHY, DOES IT MAKE SENSE. If any answer feels wrong, verify.