Summary
Some employees report feeling “hoodwinked” despite providing written consent, as unclear details erode trust, according to a Cornell University study. In cybersecurity, deceptive phishing simulations further strain trust, putting greater emphasis on organisations to rethink how they balance security and employee relationships.
Getting employees to sign on the dotted line guarantees consent from a legal standpoint, but it doesn’t always equate to emotional buy-in. A study by Cornell University highlights a critical gap in understanding consent: those who request it often overestimate how informed individuals feel about their agreement. This misalignment can erode trust when outcomes deviate from expectations. “You can’t just focus on getting someone to legally consent to something to protect yourself from liability,” explains Vanessa Bohns, Braunstein Family Professor of organisational development at Cornell. “You need to ensure they truly understand it—give them time to process and ask questions. Otherwise, trust erodes, and they feel their best interests aren’t being considered.”
Trust, supposedly the foundation of employer-employee relationships, is becoming increasingly fragile in today’s job market. Unlike previous generations, who often remained in one workplace for their entire careers, modern employees navigate unstable markets, leading to historic turnover rates and shorter tenures. According to PwC’s Trust Survey, 61% of workers believe a lack of perceived trust from employers affects their job performance. In cybersecurity, trust is further strained by phishing simulations—a popular tool designed to test vulnerability by tricking employees into falling for fake scams. Though well-intentioned, these simulations risk alienating employees by exploiting their trust. While they can provide valuable insights, such as identifying which links employees are likelier to click, a misguided focus on deceit can overshadow their purpose. Employees may have technically consented to such measures in their contracts, but retroactively explaining these terms rarely mends compromised trust. Instead, cybersecurity practitioners should adopt collaborative approaches that close knowledge gaps without exploiting employees, fostering a culture of transparency and mutual understanding. This approach ensures employees feel supported rather than deceived, ultimately strengthening their resilience to real cyber threats while preserving trust in the workplace.