Educause Security Discussion mailing list archives
Re: Faculty Acceptance of Security Awareness Education?
From: Matthew Wollenweber <mjw () CYBERWART COM>
Date: Tue, 1 Dec 2009 12:41:05 -0500
On Tue, Dec 1, 2009 at 11:06 AM, Ken Connelly <Ken.Connelly () uni edu> wrote:
Steve Romig wrote:On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:I'm friends with the phishme guys and the metrics they have are 25% of people fall for unsophisticated attacks and 75% fall for sophisticated attacks.If that's true, then wow. Does anyone know of any actual studies about response rates to phishing attacks and effectiveness of training (or for social engineering attacks in general)? I've got a friend in the consulting business who does phishing attacks for the banking industry, and he claims a 7% pre-training response rate for semi-sophisticated attacks (some effort made to make the phish look credible - attaching names of actual bank execs, use the bank's name in the email, no spelling/grammar mistakes, etc.) 7% is a far cry from even 25%, let alone 75%. I've heard other numbers from other people, and I don't have any grounds to disbelieve any of them (and they could all be true in their own contexts, anyway). --- SteveDon't forget, the "phishme" guys help their cause by using the highest possible numbers they can justify - it helps them make a case that their services are needed. It's the same theory behind why end-user personal firewalls are so incredibly noisy - to make the user constantly aware that the software is very active and worth the cost. After all, wouldn't you be happy that it stopped an "attack" (single packet) on port 23423? Even though there's no daemon listening to that port?
You're making an assumption there. The "phishme" guys might have a potential motive to use higher stats to justify their service, but unless you have other data you shouldn't claim their stats are being tweaked. Measuring phishing success is difficult and there are lots of ways to do it - most of which someone can argue about. There are a few things that I think we could all agree on though: Trojans, delivered via phishing (which I include fake av, fake flash, *cough* fake codecs) account for a huge portion of incidents. Also, (in my data) there is little correlation between patch level and incidents. If you look back historically, incidents have been tied to patch level because systems were compromised by an exploit targeting an unpatched vulnerability. If that's not the case anymore there are few remaining possibilties. One is that everyone is getting owned by 0day over and over without detecting it -- which is unlikely en mass. The more you use an exploit the more likely it is to get known. Or we go back to the users clicking things. My IDS indicates they're doing that a lot. Phishing is successful and a huge problem that needs to be addressed.
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
-- Matthew Wollenweber mjw () cyberwart com 240-753-0281
Current thread:
- Re: Faculty Acceptance of Security Awareness Education?, (continued)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Delaney, Cherry L. (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Steve Romig (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ken Connelly (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Valdis Kletnieks (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Dec 02)