Educause Security Discussion mailing list archives
Re: Faculty Acceptance of Security Awareness Education?
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Tue, 1 Dec 2009 10:06:52 -0600
Steve Romig wrote:
On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:I'm friends with the phishme guys and the metrics they have are 25% of people fall for unsophisticated attacks and 75% fall for sophisticated attacks.If that's true, then wow. Does anyone know of any actual studies about response rates to phishing attacks and effectiveness of training (or for social engineering attacks in general)? I've got a friend in the consulting business who does phishing attacks for the banking industry, and he claims a 7% pre-training response rate for semi-sophisticated attacks (some effort made to make the phish look credible - attaching names of actual bank execs, use the bank's name in the email, no spelling/grammar mistakes, etc.) 7% is a far cry from even 25%, let alone 75%. I've heard other numbers from other people, and I don't have any grounds to disbelieve any of them (and they could all be true in their own contexts, anyway). --- Steve
Don't forget, the "phishme" guys help their cause by using the highest possible numbers they can justify - it helps them make a case that their services are needed. It's the same theory behind why end-user personal firewalls are so incredibly noisy - to make the user constantly aware that the software is very active and worth the cost. After all, wouldn't you be happy that it stopped an "attack" (single packet) on port 23423? Even though there's no daemon listening to that port? -- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- Re: Faculty Acceptance of Security Awareness Education?, (continued)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Nov 25)
- Re: Faculty Acceptance of Security Awareness Education? randy marchany (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Eric Case (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Terri Jones (Nov 29)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Delaney, Cherry L. (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Steve Romig (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ken Connelly (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Valdis Kletnieks (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Dec 02)