Re: Phishing your users

[Brad Judy <brad.judy () CU EDU>]

Take a look at the presentation that Derek Spransy did at SPC on the work we did at Emory: 
http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness

Below is the text of a message I sent in reply to a similar post to this list on 9-5-14

I've written and spoken on this topic several times, and I'll do a quick recap here.  It is absolutely possible to take 
this approach without negative response.  We did it at Emory across tens of thousands of users without problem and 
we're doing a similar process here at U Colorado right now.

Here are some of the key points (overlapping with what others have said) and I will try to rank them in rough order of 
importance in my mind.


*         Such a process is an alternative to traditional awareness that (from my experience) is far more effective.  
We work in higher education and exploring the most effective learning techniques is a core of our business.  As a wise 
person once said: if your behavior hasn't changed, you haven't actually learned anything.  We are engaged in learning 
with the goal of behavioral change.  This process both provides effective learning to that goal and measures to that 
goal.

*         The process *must* be non-punitive.  Falling for a phishing message has no negative impact on one's job and 
no information will be provided to departments that includes specific names or is detailed enough to infer names.  We 
only provided aggregate stats on groups of at least 20 people.  We rejected all requests to provide specific names.

*         The community is fully informed of the process that will occur before it happens.  Someone once asked me 
"aren't you afraid it will skew the results?"  This isn't a research paper, this is learning.  If the heads-up messages 
are enough to prevent someone from responding to phishing, then you've already won.

*         The leadership of the institution (in its various forms from VPs to chancellors to committees) would have a 
chance to hear about the process, ask questions, express concerns and have issues addressed before proceeding.  You can 
call it "management buy-in" if you'd like.

*         The educational landing page (for those who fell for a phish) provides contextual information that is 
actionable.  It cites the items in the specific messages sent out that would be the easiest indicators of a fake email.

*         The process would use content based on real-world phishing of a moderate level.  The goal is not to come up 
with something good enough to fool everyone, the goal is to educate a reasonable person to recognize a typical phish.  
I have said many times that I don't expect anyone to catch an advanced social engineering attack.  Some of the most 
aware people can be fooled by a sophisticated, targeted attack.

*         We would continuously evaluate the process as it went for everything from results towards goal to process 
improvement to community feedback.  If the process did not demonstrate measurable improvement in phishing response 
rates, it would be discontinued.

*         We would analyze the results across demographic data to look for and hot-spots that might need additional 
training.  Was there a department, job class, student major, etc. that demonstrated a notably higher than average 
phishing response rate?  Were there other trends to investigate.

*         We worked with the help desks to inform them about the process and monitor their workloads during the message 
runs.  We throttled the sending of messages to ensure that they were not totally overloaded at any one time.

*         Each run used four or more different messages to both provide variety and allow us to test for response rate 
differences between various popular phishing message themes.  We also tested for differences between phishing messages 
that were totally generic (did not mention the institution name at all) and those that contained basic targeting 
(institution mentioned in a couple places).

You can see an SPC presentation from Emory on the effort (including charts about response rates and improvements) here: 
http://www.educause.edu/sites/default/files/library/presentations/SEC12/SESS07/Educause%2BSEC12%2BPhishme%2BPresentation.pptx

At the end of the day, the Emory project demonstrated success at reducing response rates while receiving essentially 
zero negative feedback across quarterly runs with 40,000 users.

Our current work at CU has gone through a sampling process to establish a baseline response rate that will next go 
through some process improvement work and then follow-up phishing awareness work.

Please let me know if you have any specific questions.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Fowler, 
Becky Thurmond
Sent: Wednesday, February 18, 2015 7:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Phishing your users

We've tossed around the idea of phishing our users (as an awareness/education activity) for the past few years.  I'm 
ready to make another push to upper management to move forward with this project but I was wondering if anyone had any 
war stories (good or bad) to share before I make my pitch.

Thanks!

Becky Thurmond Fowler
Manager, Security Assessments & Incident Response
Division of IT - Information Security & Access Management
University of Missouri-Columbia
becky () missouri edu<mailto:becky () missouri edu>
573.882.5182