When is phishing education going too far? Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?“Phishing” red flags and countermeasuresGoogle Chrome & Spear-phishingSpear phishing data setSite hack with email phishing scamSomething phishy going on with emailHow could we provide certainty to users that education material on phishing, isn't phishing itself?Why doesn't Outlook handle phishing URLsPhishing AnalysisIs 'account-security-noreply@accountprotection.microsoft.com' a legitimate sender of security alerts?Gmail (Dot) Phishing Attack From Avalanche Botnet
What LEGO pieces have "real-world" functionality?
Need a suitable toxic chemical for a murder plot in my novel
Problem when applying foreach loop
Simulating Exploding Dice
If A makes B more likely then B makes A more likely"
How to market an anarchic city as a tourism spot to people living in civilized areas?
Typeface like Times New Roman but with "tied" percent sign
How did passengers keep warm on sail ships?
How to retrograde a note sequence in Finale?
Passing functions in C++
Why is "Captain Marvel" translated as male in Portugal?
Is there folklore associating late breastfeeding with low intelligence and/or gullibility?
ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?
How to add zeros to reach same number of decimal places in tables?
What's the point in a preamp?
Split bolt connection. Wire direction
Could the Boeing 757 replace the Boeing 737 Max 8/9/10?
How can I protect witches in combat who wear limited clothing?
Stars Make Stars
Animated film about a society's offering for gods
Aligning matrix of nodes with grid
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Why does this iterative way of solving of equation work?
What did Darwin mean by 'squib' here?
When is phishing education going too far?
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?“Phishing” red flags and countermeasuresGoogle Chrome & Spear-phishingSpear phishing data setSite hack with email phishing scamSomething phishy going on with emailHow could we provide certainty to users that education material on phishing, isn't phishing itself?Why doesn't Outlook handle phishing URLsPhishing AnalysisIs 'account-security-noreply@accountprotection.microsoft.com' a legitimate sender of security alerts?Gmail (Dot) Phishing Attack From Avalanche Botnet
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing
edited 1 hour ago
schroeder♦
78.8k30175211
asked 3 hours ago
AnthonyAnthony
816615
add a comment |
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing
edited 1 hour ago
schroeder♦
78.8k30175211
asked 3 hours ago
AnthonyAnthony
816615
1
So.... they're complaining the test is too realistic?
– Ben
3 hours ago
@bremen_matt please do not answer in comments. Bundle all that up into an answer.
– schroeder♦
1 hour ago
2
This "test" sounds more like spear phishing, which is at an entirely different level.
– Michael Hampton
1 hour ago
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
37 mins ago
add a comment |
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing
edited 1 hour ago
schroeder♦
78.8k30175211
asked 3 hours ago
AnthonyAnthony
816615
I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user's job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
Questions
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
phishing
phishing
edited 1 hour ago
schroeder♦
78.8k30175211
asked 3 hours ago
AnthonyAnthony
816615
edited 1 hour ago
schroeder♦
78.8k30175211
asked 3 hours ago
AnthonyAnthony
816615
edited 1 hour ago
schroeder♦
78.8k30175211
edited 1 hour ago
schroeder♦
78.8k30175211
edited 1 hour ago
schroeder♦
78.8k30175211
78.8k30175211
asked 3 hours ago
AnthonyAnthony
816615
asked 3 hours ago
AnthonyAnthony
816615
asked 3 hours ago
AnthonyAnthony
816615
816615
1
So.... they're complaining the test is too realistic?
– Ben
3 hours ago
@bremen_matt please do not answer in comments. Bundle all that up into an answer.
– schroeder♦
1 hour ago
2
This "test" sounds more like spear phishing, which is at an entirely different level.
– Michael Hampton
1 hour ago
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
37 mins ago
add a comment |
1
So.... they're complaining the test is too realistic?
– Ben
3 hours ago
@bremen_matt please do not answer in comments. Bundle all that up into an answer.
– schroeder♦
1 hour ago
2
This "test" sounds more like spear phishing, which is at an entirely different level.
– Michael Hampton
1 hour ago
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
37 mins ago
1
1
So.... they're complaining the test is too realistic?
– Ben
3 hours ago
So.... they're complaining the test is too realistic?
– Ben
3 hours ago
@bremen_matt please do not answer in comments. Bundle all that up into an answer.
– schroeder♦
1 hour ago
@bremen_matt please do not answer in comments. Bundle all that up into an answer.
– schroeder♦
1 hour ago
2
2
This "test" sounds more like spear phishing, which is at an entirely different level.
– Michael Hampton
1 hour ago
This "test" sounds more like spear phishing, which is at an entirely different level.
– Michael Hampton
1 hour ago
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
37 mins ago
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
37 mins ago
add a comment |
4 Answers
4
active
oldest
votes
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
1 hour ago
2
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
1 hour ago
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
31 mins ago
add a comment |
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
edited 29 mins ago
schroeder♦
78.8k30175211
answered 42 mins ago
RoostercrabRoostercrab
1
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Yes I edited BoredToolBox's answer
– schroeder♦
33 mins ago
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
26 mins ago
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to email id that verifies this@yourorg.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
BoredToolBoxBoredToolBox
25
2
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
1 hour ago
Downvoted for the reason @VipulNair stated
– Kevin Voorn
1 hour ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207389%2fwhen-is-phishing-education-going-too-far%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
1 hour ago
2
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
1 hour ago
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
31 mins ago
add a comment |
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
1 hour ago
2
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
1 hour ago
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
31 mins ago
add a comment |
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
- When is phishing education going too far?
When the cost exceeds the benefit. Benefit is generally measured in lower click-through rates and increased rates of reporting of genuine phishing emails. Cost can be measured in:
- the effort to implement the test
- false positive reporting of (not) phishing emails
- lower engagement rates on legitimate emails
- ill will towards the Security group.
The last is the hardest to measure, and often ignored, but if your job is to trick your own people, you shouldn't be surprised if they start viewing you with suspicion.
- Is pushback from the end users demonstrative that their awareness is still lacking and need further training,
specifically the inability to recognize legitimate from
malicious emails?
Um, maybe?
If their click-through rates remain high, then awareness is still lacking and they need further training.
If click-through rates in general have dropped, but the test emails consistently fool them, then their concerns about the testing may be legitimate.
It sounds like your content is pretty closely tailored to your users and even their job roles. This may be what is generating the negative reaction. Ideally, a phishing test should not rely upon knowledge or understanding of internal email practices, just as an attacker should not have access to those. (And note, your internal messaging should not look like your external messaging, for the same reason).
You may want to consider outsourcing your phishing tests. The organizations that are dedicated to offering this service have a better feel for what "in the wild" looks like, and their tools for measuring and reporting on engagement rates are usually better than you can do on your own.
Personally, I'm not fond of phish testing, because I believe it erodes trust between users and Security. But the fact of the matter is it's one of the best ways to improve your users' defences.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
edited 1 hour ago
schroeder♦
78.8k30175211
edited 1 hour ago
schroeder♦
78.8k30175211
edited 1 hour ago
schroeder♦
78.8k30175211
78.8k30175211
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
answered 2 hours ago
gowenfawrgowenfawr
54.7k11115161
54.7k11115161
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
1 hour ago
2
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
1 hour ago
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
31 mins ago
add a comment |
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
1 hour ago
2
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
1 hour ago
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
31 mins ago
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
1 hour ago
Forgive me if i am wrong.But if a few people click,wouldnt that be a failure?
– Vipul Nair
1 hour ago
2
2
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
1 hour ago
@VipulNair eradication is not a realistic goal for phish training. I believe I've seen 10-20% click-through described as ideal improvement. I have seen organizations celebrate pushing down below 50%.
– gowenfawr
1 hour ago
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
31 mins ago
@gowenfawr most recent research shows that getting below 10% is not realistic. Even CISOs click phishing emails (one CISO I know gets 600 emails a day and sometimes he clicks on a well-crafted phish).
– schroeder♦
31 mins ago
add a comment |
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
add a comment |
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
add a comment |
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
I think there is an underlying problem that you will need to address. Why do the users care that they are failing?
Phishing simulations should, first and foremost, be an education tool not a testing tool.
If there are negative consequences to failing, then yes, your users are going to complain if the tests are more difficult than you have prepared them for. You would complain, too.
So, your response should be:
- educate them more (or differently) so that they can pass the tests (or rather, the comprehension tests, which is what they should be)
- remove negative consequences to failing
This might not require any content changes to your education material, but might only require a re-framing of the phishing simulations for users, management, and your security team.
Your focus needs to be the evolving maturity of your organisation's ability to resist phishing attacks, not getting everyone to be perfect on tests. Once you take this perspective, the culture around these tests and the complaints will change.
Do it right, and your users will ask for the phishing simulations to be harder not easier. If you aim for that end result, you will have a much more resilient organisation.
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
answered 1 hour ago
schroeder♦schroeder
78.8k30175211
78.8k30175211
add a comment |
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
edited 29 mins ago
schroeder♦
78.8k30175211
answered 42 mins ago
RoostercrabRoostercrab
1
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Yes I edited BoredToolBox's answer
– schroeder♦
33 mins ago
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
26 mins ago
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
edited 29 mins ago
schroeder♦
78.8k30175211
answered 42 mins ago
RoostercrabRoostercrab
1
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Yes I edited BoredToolBox's answer
– schroeder♦
33 mins ago
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
26 mins ago
add a comment |
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
edited 29 mins ago
schroeder♦
78.8k30175211
answered 42 mins ago
RoostercrabRoostercrab
1
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The question of "going too far" requires context; what part is going too far?
The thing that phishing tests are trying to do is to make people suspicious of their email, because when they aren't then they are at risk of literally inviting unauthorized users onto the network.
So there shouldn't be an overwhelming amount of emails to the point that they are sifting through known bad emails to get to the ones they need to do their job, but there should be enough that it is commonly known that someone in the organization is portraying an attacker and trying to get them to click the wrong link because there are already people outside the organization trying to get them to do that.
The question then becomes when someone does go for the ploy, are you glad that you caught them instead of a malicious actor? As other people have mentioned here (and @BoredToolBox should not have been downvoted in my opinion) this is about education.
If you put that into the wording of the question then, I'm sure that it's not meant as "How much education is going too far?" right?
What is probably going too far in most organizations is the reaction to people who are clicking thorough, and especially if there is a punitive aspect to it. You should be glad when you are the one that caught the action, because it is a chance for you to help the user understand what could possibly have happened and why you are performing this exercise. People should not be punished or shamed.
Imagine that this was an exercise on how to prevent an illness from spreading worker to worker. A deadly virus that will lay dormant until it has found an appropriate host and will then possibly kill everyone, but they don't know that it is spread by people that are randomly coming in the front door handing them packages.
We have enough common sense to know not to just accept packages from people that walk into the building, but what people don't see is that this is exactly what is happening with their emails. So this is about a change in culture and perspective, and I don't really see what part of the knowledge of this is going too far when you are talking about education.
edited 29 mins ago
schroeder♦
78.8k30175211
answered 42 mins ago
RoostercrabRoostercrab
1
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 29 mins ago
schroeder♦
78.8k30175211
edited 29 mins ago
schroeder♦
78.8k30175211
edited 29 mins ago
schroeder♦
78.8k30175211
78.8k30175211
answered 42 mins ago
RoostercrabRoostercrab
1
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 42 mins ago
RoostercrabRoostercrab
1
answered 42 mins ago
RoostercrabRoostercrab
1
1
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Roostercrab is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Yes I edited BoredToolBox's answer
– schroeder♦
33 mins ago
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
26 mins ago
add a comment |
Yes I edited BoredToolBox's answer
– schroeder♦
33 mins ago
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
26 mins ago
Yes I edited BoredToolBox's answer
– schroeder♦
33 mins ago
Yes I edited BoredToolBox's answer
– schroeder♦
33 mins ago
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
26 mins ago
The purpose of phishing simulations is not to make people suspicious, but to practice the procedures and behavours taught in a safe simulation of an attack.
– schroeder♦
26 mins ago
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to email id that verifies this@yourorg.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
BoredToolBoxBoredToolBox
25
2
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
1 hour ago
Downvoted for the reason @VipulNair stated
– Kevin Voorn
1 hour ago
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to email id that verifies this@yourorg.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
BoredToolBoxBoredToolBox
25
2
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
1 hour ago
Downvoted for the reason @VipulNair stated
– Kevin Voorn
1 hour ago
add a comment |
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to email id that verifies this@yourorg.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
BoredToolBoxBoredToolBox
25
Faced something similar and currently part of a team that runs something similar. Here are my two cents:
Education is a very tricky concept as the way people learn are
different for different individuals. But what I have seen is that if
you try to concise the information you want to convey in 2-4 points,
in as few words as possible that always help. We do something like
this when it comes to educating people:
Whenever you get an email from someone outside the org ask these questions:
- Do you personally know this email id?
- Does the email id and the domain name look fishy to you?
- Do you really want to click that link or want to give this guy your personal info?
And lastly we always mention that:
if you are not sure please forward this email to email id that verifies this@yourorg.com
- Definitely. Since all they need to do (I guess) is to ignore that email or maybe forward it to your internal security team for review.
I guess what needs to be done here is more on education. Because the employees need to know how a successful phish can not only hurt the company but also the employee as well.
edited 1 hour ago
schroeder♦
78.8k30175211
answered 2 hours ago
BoredToolBoxBoredToolBox
25
edited 1 hour ago
schroeder♦
78.8k30175211
edited 1 hour ago
schroeder♦
78.8k30175211
edited 1 hour ago
schroeder♦
78.8k30175211
78.8k30175211
answered 2 hours ago
BoredToolBoxBoredToolBox
25
answered 2 hours ago
BoredToolBoxBoredToolBox
25
answered 2 hours ago
BoredToolBoxBoredToolBox
25
25
2
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
1 hour ago
Downvoted for the reason @VipulNair stated
– Kevin Voorn
1 hour ago
add a comment |
2
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
1 hour ago
Downvoted for the reason @VipulNair stated
– Kevin Voorn
1 hour ago
2
2
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
1 hour ago
The question is when does phishing campaign's,to educate employees crosses the line.You are answering on "how to better educate them"
– Vipul Nair
1 hour ago
Downvoted for the reason @VipulNair stated
– Kevin Voorn
1 hour ago
Downvoted for the reason @VipulNair stated
– Kevin Voorn
1 hour ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207389%2fwhen-is-phishing-education-going-too-far%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
So.... they're complaining the test is too realistic?
– Ben
3 hours ago
@bremen_matt please do not answer in comments. Bundle all that up into an answer.
– schroeder♦
1 hour ago
2
This "test" sounds more like spear phishing, which is at an entirely different level.
– Michael Hampton
1 hour ago
I would re-word the title from "education" to "testing" or "simulations"
– schroeder♦
37 mins ago