Educause Security Discussion mailing list archives
Re: Faculty Acceptance of Security Awareness Education?
From: Matthew Wollenweber <mjw () CYBERWART COM>
Date: Tue, 1 Dec 2009 12:29:02 -0500
While I was doing pen testing, our phishing service tended to have a 40-60% success rate for unsophisticated targeted attacks. When we were allowed to be very sophisticated, the numbers were incredible. In most cases we had callbacks into the network within 5 minutes. I can't recall ever not getting in. I also can't recall security being able to entirely block us from the network once we were in. The most relevant paper is the one features in this Ars Article: http://arstechnica.com/security/news/2008/09/study-confirms-users-are-idiots.ars These papers don't have the exact metrics I might want, but they're worth reading: http://www.ceas.cc/2007/papers/paper-34.pdf http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf On Tue, Dec 1, 2009 at 10:46 AM, Steve Romig <romig.1 () osu edu> wrote:
On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:I'm friends with the phishme guys and the metrics they have are 25% of people fall for unsophisticated attacks and 75% fall for sophisticated attacks.If that's true, then wow. Does anyone know of any actual studies about response rates to phishing attacks and effectiveness of training (or for social engineering attacks in general)? I've got a friend in the consulting business who does phishing attacks for the banking industry, and he claims a 7% pre-training response rate for semi-sophisticated attacks (some effort made to make the phish look credible - attaching names of actual bank execs, use the bank's name in the email, no spelling/grammar mistakes, etc.) 7% is a far cry from even 25%, let alone 75%. I've heard other numbers from other people, and I don't have any grounds to disbelieve any of them (and they could all be true in their own contexts, anyway). --- Steve
-- Matthew Wollenweber mjw () cyberwart com 240-753-0281
Current thread:
- Re: Faculty Acceptance of Security Awareness Education?, (continued)
- Re: Faculty Acceptance of Security Awareness Education? Eric Case (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Terri Jones (Nov 29)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Delaney, Cherry L. (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Steve Romig (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ken Connelly (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Valdis Kletnieks (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Dec 02)