Why Companies Should Use Phishing Simulations


Posted on by Ira Winkler

The Wall Street Journal is considered a legitimate publication read by business executives, who would justifiably consider any advice provided. That’s why I am concerned that some people might be swayed by the recently published article, “Why Companies Shouldn’t Try to Catch Employees with Fake Phishing Emails. Given that phishing simulations are a staple of most cybersecurity programs, I want the community to ask questions about the assertions in the article and be able to respond to questions from management if asked.

 

The purpose of phishing simulations is to increase diligence on the part of users. If increased diligence means increased stressed for some users, that is unavoidable. The latest Verizon Data Breach Investigations Report shows phishing to be one of the biggest drivers of data breaches, and users need to be diligent.

 

The author, Rick Walsh, asserts that some phishing lures generated more response than others and that some users experience stress and anxiety. Therefore, as the title of the article says, companies should stop using phishing simulations. I disagree. Technically, all these things can be true, but they are most often true in poorly designed programs.

 

Having designed and assessed countless awareness programs, I unfortunately know many awareness programs, including phishing simulations, are poorly designed and a waste of time and money. I used this analogy on LinkedIn: If you give a monkey a violin, and the monkey makes horrible music, it’s not the violins fault. Awareness tools are the violin, and in this case, the academic researcher and bad security program designs are the monkey.

 

Yes, awareness managers should not just put out phishing simulations without making sure that people know why they do so. I once spoke to a financial analyst at one of the largest investment banks in the world, who told me that he hates phishing simulations because he could be fired if he fails three of them in a year. I asked how he felt about it, and the response was enlightening, “Well, if I click on a real phish at this company, I can cost them more money than I will make in a lifetime.” He knew the “Why”, to the credit of the bank’s awareness team.

 

I also spoke to a less supportive HR manager, who complained about feeling “tricked after clicking on a phishing simulation, though she volunteered that it did make her more diligent. I bit my tongue as I considered all of the sensitive information she could have exposed if the simulated message were real.

 

Some phishing lures are better than others for training, and this is exactly why you want a skilled person, who performs tests frequently, who knows which lures are better designed for a given purpose than others. 

 

Regarding users being stressed, unfortunately instilling a sense of diligence in users can add to stress for some people. However, it shouldn’t be considered any different than instilling good driving habits in truck drivers, safe food handling habits for food service workers, or proper diligence on the part of HR managers. Frankly, ransomware these days is infinitely more of an existential threat to an organization than a single unsafe truck driver, and we don't talk about driving tests as too stressful on truck drivers.

 

There are a few facts and commonly accepted sciences that present challenges to changing human behavior. For example, there is the forgetting curve, which is essentially that if you give someone educational information and they don’t apply it, their memory of the information fades. Phishing simulations essentially interrupt the forgetting curve to potentially reinforce all awareness lessons.

 

Likewise in safety science there is the principle of complacency. When nothing happens, people become complacent and ignore safety practices. Phishing simulations help to interrupt not just the Forgetting Curve, but also a feeling of complacency given the effectiveness of secure email gateways in weeding out real phishing messages. 

 

Interesting research performed by Elevate Security and The Cyentia Institute found 4% of users caused 80% of damage. These phishing simulations help to identify that 4% of users, allowing the organization to better train them and otherwise reduce the risk they pose.

 

Independently, I performed research and found that users who had high levels of self-discipline but fell for a phishing message, would never click on a second phishing message. So, in this case, the risk these individuals posed to the organization, however minimal, was mitigated. Clearly, this is not everyone, but phishing simulations do have a risk reduction impact.

 

Not performing phishing simulations isn’t even a discretionary choice for many organizations because most compliance audits expect to see phishing simulations as part of a security strategy. Additionally, many phishing engines now implement machine learning technology that better tailors the sophistication and context of lures to users.

 

Again, I will not argue that many, if not most, phishing simulations are poorly designed and implemented. This does not mean that they will not provide value if implemented properly. 

Contributors
Ira Winkler

CISO, CYE Security

Human Element

security awareness phishing

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs