The Vulnerable First Months

Phishing is a major and persistent risk, and it is right that so much attention goes to it. In an earlier report in this series, The Attention Problem, we set out what the science says about phishing simulations and the approach that suits them. Security awareness, however, is broader than email alone, and nowhere does that breadth come together as much as in the first period after joining.

A new employee sets up accounts and devices in a short space of time, learns which data is sensitive, uses the organisation's systems for the first time, and meanwhile has to judge which messages and requests are normal. All of this happens while that person does not yet know the people, the processes and the way you report something. The gap between the start date and the moment someone truly feels at home forms a period in which the risk is higher than it is afterwards. This report sets out what the scientific research shows about that period, and which lessons follow from it for the timing and the form of the first training.

01 · FRAMEWORKAwareness is broader than phishing

Anyone who thinks of security awareness quickly thinks of recognising a suspicious email. That is understandable, because phishing is a real and common risk. It is, however, only one part of a broader whole. An employee makes many small decisions every day that relate to security, and these reach further than the inbox.

The most widely used scientifically validated measurement instrument in this field, the Human Aspects of Information Security Questionnaire (HAIS-Q), groups that broader whole into seven areas: managing passwords, email use, internet use, social media use, mobile working, handling information, and reporting incidents (Parsons et al., 2014). Phishing falls within the area of email use and is therefore one of the seven, not the sum total. The value of this framework is that it makes awareness measurable across the full breadth, and that turns out to work: those who score higher on the HAIS-Q perform better in an experimental phishing test (Parsons et al., 2017).

02 · FINDINGThe first months are a period of adjustment

That the start of an employment is distinctive is well established in organisational psychology. Research into how new employees are onboarded and find their feet shows that things such as knowing what is expected of you, confidence in your own actions and being accepted by colleagues are not present immediately, but build up over the first months of employment (Bauer and Erdogan, 2011). A large review study that summarises many pieces of research confirms that picture and stresses that it is precisely the early experiences that determine how well someone ultimately adjusts (Bauer et al., 2025).

For security, it is above all that initial period of unfamiliarity that is relevant. An employee who does not yet know what is customary in the organisation lacks the footing to notice that something deviates from what should be normal. The same mechanism is at play in complying with security policy: employees who are better onboarded and feel more strongly connected to the organisation demonstrably adhere to the rules better (Ifinedo, 2014). In other words, the first months are not only a learning period for the role itself, but also for acting securely within it.

03 · EXPLANATIONWhy unfamiliarity is a risk

The unfamiliarity of the first months is precisely what an attacker can exploit. Someone who does not yet know the customary way of working finds it harder to judge whether a request is legitimate. A new employee often does not yet know who is authorised to approve a payment, how login credentials should be shared, or what a message from management normally looks like. Add to that the fact that a newcomer is keen to make a good impression and therefore responds quickly and helpfully, and it becomes clear why deception stands a greater chance in this period.

This is about more than email alone. Deception can just as easily take place by phone, through a message or in person, and touches several of the seven areas at once. Insecurely sharing a password at the first login touches the management of access, misjudging a request for data touches the handling of information, and not knowing where to report something suspicious touches the reporting of incidents. Research into resistance to social manipulation shows that higher security awareness is associated with a greater likelihood that someone resists such an attempt (Grassegger and Nedbal, 2021). For someone who has just joined, that awareness across the full breadth is still being built up.

04 · EXPLANATIONKnowledge is not enough, certainly not at the start

It seems obvious to counter that vulnerability with as much knowledge as possible, as early as possible. Science qualifies that. A review study that summarises the results of many pieces of research shows that the effect of training on knowledge and attitude is large, but that the average effect on actual behaviour remains small (Prümmer, van Steen and van den Berg, 2024). That difference is no coincidence. A well-known model for behaviour change, the Behaviour Change Wheel, describes that behaviour only changes when knowledge and skill, motivation and the opportunity to do the right thing come together (Michie, van Stralen and West, 2011).

It is precisely that last condition, opportunity, that is missing for a new employee. Someone may know that a password should never be requested over the phone, but without knowledge of the customary processes it is difficult to judge whether a specific request is suspicious. Onboarding that only transfers knowledge therefore meets just one of the three conditions. Passive instruction in which information is merely disseminated consequently changes behaviour hardly at all (Bada, Sasse and Nurse, 2015), whereas active, repeated and context-tailored forms do have an effect (Prümmer, van Steen and van den Berg, 2024).

On top of this comes the factor of time. Knowledge offered all at once fades quickly: the forgetting curve, described in 1885 by the German psychologist Hermann Ebbinghaus and confirmed in replicated research (Murre and Dros, 2015), shows that a large part of newly learned material already fades within days to weeks without repetition. A single training session on the first working day is therefore not enough, however well intended. What the literature suggests is a training that starts early, is short and repeated, and that not only imparts knowledge but also helps someone get to know the organisation's way of working and learn where to report something.

05 · CONCLUSIONEarly, broad and focused on behaviour

The onboarding period can be explained well. The first months are a period of adjustment in which an employee does not yet know the organisation, and that unfamiliarity is a vulnerability across the full breadth of security awareness that attackers can exploit. The literature does not point to more knowledge transfer alone, but to a training that starts early, that covers the full breadth instead of phishing alone, and that is focused on behaviour by being short, repeated and set in the context of the work. Equally important is that an organisation gives the newcomer the opportunity to act securely, by making the way of working, the authorisations and the way you report something clear from the outset.

At the same time, modesty is in order. The underpinning for this period comes largely from related research, into the onboarding of new employees, into behaviour and into the fading of knowledge, and far less from studies that have measured the cyber risk of the first weeks in particular directly and over a longer period. The confident figures that circulate about this in trade publications can scarcely be traced to verifiable research. There is a clear gap here, which could be filled by following new employees from their first working day over a longer period with anonymised behavioural data.