Phishing has become the number one cyber issue for organizations, with 91% of cyber-attacks coming from malicious emails, according to Deloitte. As organizations embark on implementing anti-phishing campaigns, security awareness firm CybSafe recently argued that these are not always successful.
In the company’s latest ebook, A new approach to simulated phishing, published on August 24, 2022, CybSafe identified four significant shortcomings of traditional simulated phishing: “They take people by surprise. They’re used to assign more tick-box training. They’re focused on the wrong metrics. They’re too short.”
First, the firm said, although it may sound counter-intuitive, simulated phishing campaigns should never be run in secret. It can alter employees’ motivation and create mistrust, and it fails to teach people to recognize signs of phishing.
“It’s better for people to think they’re always being phished. Because they are, by real criminals,” the company says.
Further, anti-phishing campaigns should not be the sole basis for assigning new training in a ‘gun-to-the-head’ approach, CybSafe argues. First, the metrics traditionally used, click rates and report rates, do not explain ‘why’ people click – and fail. In addition, “it causes people to associate ‘failing’ a phishing test with training. It makes training feel like punishment.”
CybSafe promotes a four-step, ‘people-centric’ approach based on the Agile methodology. Here are Infosecurity Magazine’s takeaways from the firm’s ebook.
1. Set specific goals and an extended list of critical metrics
The first step of CybSafe’s recommended simulated phishing method, ‘Setting your goals and planning,’ starts with listing things the security decision-makers want to achieve. The ebook gives examples such as ‘I want to understand what types of emails my people are most likely to engage with’ or ‘I want to increase my people’s ability to spot and report genuine phishing attacks.’
These two goals, for instance, are very different. While, in the first case, the security decision-makers will focus on the impact of email categories, origins and influence techniques in click rates, in the second case, they will more likely aim at increasing the rate and accuracy of reporting malicious emails from the ‘victims.’
These goals can be combined in a single campaign. But to meet them, measuring click rates will be insufficient, says CybSafe.
Here are a few other metrics to consider:
- Confirmed security incidents linked to phishing
- Time to detect security incidents linked to phishing
- Near misses linked to phishing
- Number of employees asking for help determining the legitimacy of an email
- Policy violations linked to phishing (such as sharing sensitive information via email)
- The total number of repeat clickers
- Employee satisfaction and attitude surveys
- Direct feedback from employees
- Open rates and engagement with phishing-related communications
2. Involve the top management with financial indicators
Once the relevant metrics are carefully picked, the planning step is not over. For a successful anti-phishing campaign, security decision-makers must involve people across all company departments, including HR and legal teams and top management.
To get senior managers involved, CybSafe recommends using two different arguments. First, “make sure [they] understand the risks” by showing them phishing statistics. “Verizon’s Data Breach Investigations Report is the place to start,” adds the ebook.
Then, “show them how much money your campaign will save” by calculating some of the following numbers:
- Single loss expectancy (SLE), the average amount lost per phishing attack
- Annual loss expectancy (ALE), the loss caused by successful phishing attacks each year
- Modified Annual loss expectancy (mALE), the loss caused by successful phishing attacks each year after you’ve implemented your security program
- Return on security investment (ROSI), the percentage your security program is expected to save each year
3. Set a reporting mechanism
The second step of the CybSafe method is focussed on designing the campaign. Here, the first two priorities are adding a report button any employee can press as soon as they have encountered what they think is a malicious email and automating a thank you response.
“Everyone needs a little recognition, and you’ll be surprised what a show of gratitude can do to boost motivation and reinforce good security behaviors,” reads the ebook.
4. Analyze data for measuring both technical and emotional drivers
To analyze the data coming from the reports, you don’t necessarily need fancy tools – “a great free option is GoPhish […] and a good ol’ spreadsheet,” says the ebook.
However, CybSafe insists on the importance of expanding the analysis to measure not only straightforward metrics but also emotional drivers – understanding why someone has clicked on that email.
CybSafe suggests three ways this can be monitored directly on the phishing templates, with point-of-clicks surveys that pop up when someone clicks on a malicious link or with follow-up surveys that you send later in the process.
5. Set personalized training
Once you have run your campaign and analyzed the relevant data, it’s time to act upon what you have found. Here, CybSafe recommends deploying tailored training – or what it calls ‘intelligent’ training. “How ‘intelligent’ you make your campaign is up to you … and your resources. If you can only support department-level training, then do that. If you can only personalize by country, personalize by country!”
“Just don’t use personalization as an excuse to postpone your campaign. Some personalization is better than no personalized training,” concludes CybSafe.
Finally, CybSafe wanted to practice what they preach and invited social engineer James Linton to phish Al Parisian, ex-chief information officer (CIO) at several organizations in insurance and current senior analyst at Celent. The experience was showcased in a webinar hosted by CybSafe on August 24, 2022.