Phishing Simulations - Perception vs. Reality
Senior Security Consultant at i-confidential
Running phishing simulations are an effective way to measure your organisation’s cyber awareness. Unfortunately, these simulations are not always warmly embraced by the employees who are subject to them.
Let’s explore some commonly held views about phishing simulations and what you can do to address them.
What Are Phishing Simulations?
Phishing simulations involve delivering emails to your employees that mimic real phishing attacks to see what they do when faced with this potential cyber threat. Results are captured during the exercise.
How Do They Help?
There are several reasons why phishing simulations are worth incorporating into your cyber programme:
Like practicing a fire drill, they encourage people to stay alert and embed the process for reporting cyber attacks.
They identify the ways people report security concerns so you can streamline incident response processes.
They provide an opportunity to reiterate cyber security messaging.
Phishing simulations often have a negative reputation amongst business colleagues.
“Oh, you mean that thing sent by security to catch me out?”
Words to that effect are a regular response the further away you get from security and IT departments. The dedicated security practitioners among us still have work to do to create more positive awareness in this area.
There are a few common perception problems to consider.
Communicating Simulation Results
When communicating a phishing simulation result, it is important to guard against two themes that can emerge:
The perception that it is a vulnerability or penetration test type of activity. In other words, the goal is simply to identify as many weaknesses as possible.
The desire to see who ‘fell for’ the phishing simulation.
Both are counter to the goals of security awareness.
Humans are not machines. The security risk from human behaviour needs to be treated differently from that of a laptop or server.
Why? The easiest way to disengage people, create uncertainty, and ultimately damage future messaging about security is to make people feel tricked and break their trust. You do that with simulations that are too challenging, too quickly. It is much better to ease people into the process with scenarios that are simpler to spot.
Sharing the names of people who are taken in by the simulation is also a negative action that will inhibit engagement going forward.
User Click Rate Stats to Measure Programme Effectiveness
One of the most popular cyber security metrics, click rate can be perceived as a good indicator of how well your phishing simulation is doing at changing cyber behaviours.
In reality, the click rate can vary widely just by changing a simulation’s design or deployment parameters. And unless you know the exact details of the scenarios in question, comparison against other organisations is extremely difficult. Even the day of the week or the time a simulation happened can significantly impact results.
Communications about Phishing Simulations
Teams running phishing simulations can struggle to ensure their message is heard without:
Frightening people – by deploying scare tactics into messaging or creating a fear culture where staff are reluctant to report incidents in case they get into trouble.
Boring people – by talking about things that feel irrelevant to day-to-day work.
Annoying people – by issuing unclear or contradictory messaging.
How to Overcome These Problems?
The purpose of running phishing simulations is to heighten awareness and teach people what to do should they receive a communication which they suspect is not what it seems.
Effective teaching requires trust. In my work, I build that with people in client organisations via honest, open communication and full transparency around phishing simulation objectives.
A phishing simulation is often the closest engagement a typical employee will have with security teams. Therefore, the design of scenarios, communications, and results feedback is critical to ensure you build good rapport with people.
I work with teams to ensure the purpose and goals of a phishing simulation are clear. These should also be communicated to security awareness stakeholders across all departments and management.
I will ensure decision makers agree it is not like running a vulnerability test that looks purely for numbers and that they are aware of the simulation’s wider benefits.
If colleagues have questions, there must be somewhere available to go for the answers. This should include information about what happens if they did interact with a phishing simulation – once they realise this it can often cause uncertainty.
These steps contribute to building a culture that focuses on report rate measurement – the sort of data we really want to capture.
Benefits of This Approach
With the right communication, people feel supported as they learn about the key threats to be aware of. They know who to speak to if they see something suspicious, and they feel like they can engage with security teams in a positive manner – no one is out to ‘get them’.
And the best thing about focusing on report rates? You can benchmark the data across other organisations.
Here to Help
I have highlighted some of the initial best practices to consider when running employee security awareness campaigns. If you would like a conversation about your own campaigns or engagement levels with colleagues, please feel free to reach out.