Should employees be informed before testing begins?
Vyvern generally recommends providing employees with as little information as possible before initial testing.
This creates a more realistic testing environment and helps organizations better evaluate:
Natural employee behavior
Existing security awareness levels
Real-world response patterns
Organizational exposure to social engineering risks
Providing advance details about testing can unintentionally influence employee behavior and reduce the accuracy of results.
Why is limited information recommended?
The goal of initial testing is to establish a realistic baseline.
If employees are heavily briefed beforehand, results may:
Reflect temporary caution rather than normal behavior
Reduce the effectiveness of awareness measurements
Create unrealistic testing conditions
Make workflow outcomes less representative of actual risk
A limited-information approach allows organizations to better understand their current security posture before implementing additional training or awareness initiatives.
Does Vyvern support awareness-focused deployments?
Yes.
Many organizations use initial testing to identify areas where:
Additional employee education may be needed
Security awareness gaps exist
Follow-up training should be introduced
Policies or internal processes can be improved
Vyvern is designed to support ongoing awareness improvement rather than one-time testing alone.
Is employee consent still important?
Organizations are responsible for ensuring testing aligns with:
Internal company policies
Legal requirements
HR and compliance standards
Organizational approval processes
Vyvern recommends that organizations coordinate with appropriate internal stakeholders before launching production workflows.
Recommended Approach
For most organizations, Vyvern recommends:
Minimal upfront employee detail about testing specifics
Controlled initial workflow deployment
Reviewing workflow outcomes and employee behavior
Providing follow-up education and awareness training afterward
This approach typically provides the most accurate baseline assessment while still supporting long-term security awareness improvement.
