Re: attempts sending fake phishing messages to students and/or employees

["Davis, Thomas R" <tdavis () IU EDU>]

On Jun 10, 2010, at 9:21 AM, Dave Kovarik wrote:

> With one exception, I have yet to have top level management
> agree in practice that phishing one's own community was a good idea.

Agreed.  I can understand the "research" benefits of conducting fake phishing.  However, on the "operational" side of 
the house, the benefits are minimal and the political fall out great.  The real question is, even if you do conduct a 
fake phishing run against your users, what will you do with the results?  Do better awareness training?  If so, why not 
focus on the awareness training instead of fake phishing?

Based on real phishing success rates, I'm pretty certain the fake phishing run will be successful too.  So, why do it?  
There *might* be a couple of legitimate reasons, but none IMHO outweigh the damaged goodwill that others have mentioned.

-- 
Tom Davis, CISSP, CISM
Chief Security Officer
Public Safety and Institutional Assurance
Indiana University
https://informationsecurity.iu.edu/Tom_Davis