Educause Security Discussion mailing list archives
Re: attempts sending fake phishing messages to students and/or employees
From: Ben Woelk <fbwis () RIT EDU>
Date: Fri, 11 Jun 2010 09:40:50 -0400
I agree that the fallout is not worth a marginal increase in awareness due to the phishing exercise. I think the key here is understanding the goals of the phishing exercise. If it's to reduce the phishing success rate, there are other awareness methods. You're not going to reach a 100% phish "resistance" rate. What numbers are you seeing falling for targeted phishing? What resistance levels are you hoping to achieve? We increased our phishing awareness efforts because of a string of phishing attempts over a two month period, one of which had around 25 users fall for the phish. Even with increased efforts, we always see 4-6 victims. That's a very small percentage of our 18K users. Ben Woelk '07 Co-chair, Awareness and Training Working Group EDUCAUSE/Internet2 Higher Education Information Security Council Policy and Awareness Analyst Information Security Office Rochester Institute of Technology Ross 10-A204 151 Lomb Memorial Drive Rochester, New York 14623 585.475.4122 585.475.7920 fax ben.woelk () rit edu http://security.rit.edu/dsd.html Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645 Follow us on Twitter: http://twitter.com/RIT_InfoSec Follow my Infosec Communicator blog at http://benwoelk.wordpress.com -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Davis, Thomas R Sent: Friday, June 11, 2010 8:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] attempts sending fake phishing messages to students and/or employees On Jun 10, 2010, at 9:21 AM, Dave Kovarik wrote:
With one exception, I have yet to have top level management agree in practice that phishing one's own community was a good idea.
Agreed. I can understand the "research" benefits of conducting fake phishing. However, on the "operational" side of the house, the benefits are minimal and the political fall out great. The real question is, even if you do conduct a fake phishing run against your users, what will you do with the results? Do better awareness training? If so, why not focus on the awareness training instead of fake phishing? Based on real phishing success rates, I'm pretty certain the fake phishing run will be successful too. So, why do it? There *might* be a couple of legitimate reasons, but none IMHO outweigh the damaged goodwill that others have mentioned. -- Tom Davis, CISSP, CISM Chief Security Officer Public Safety and Institutional Assurance Indiana University https://informationsecurity.iu.edu/Tom_Davis
Current thread:
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Jesse Thompson (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Andrew Daviel (Jun 25)
- SSH password capture Andrew Daviel (Jun 25)
- Re: SSH password capture Yonesy F. Nunez (Jun 28)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 10)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 14)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)