Re: Initial Phishing Simulation - Do you tell them first?

[Valerie Vogel <vvogel () EDUCAUSE EDU>]

In addition to Dr. Jessica Barker’s article on positively influencing behavior (thank you for sharing that resource, 
Henk!), I wanted to share this blog by Brad Judy about Phishing Your Users: 
https://er.educause.edu/blogs/2016/4/phishing-your-users. It offers 10 key points to consider when implementing a 
phishing assessment program.

Thank you,
Valerie

Valerie Vogel
Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | Follow HEISC on 
LinkedIn<https://www.linkedin.com/showcase/higher-education-information-security-council-heisc-/> | twitter: 
@HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Sonder, Henk E." <hsonder () RIC 
EDU>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, June 13, 2019 at 5:26 AM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

Dave,

Although I cannot speak with authority, as I do not have my own data to back this up, but I am a proponent of making an 
announcement in general terms. We are still toying with idea of phishing simulation as part of an awareness campaign, 
but I would announce (by email) that we will be doing phishing simulations during the upcoming semesters and that all 
or part of the community may be included in these simulations. I would provide them with background information on what 
to look out in order to identifying phishing emails (fake or real).

What is your goal of a simulation and what are your metrics? More so, what is the culture at the Maricopa Community 
Colleges that leads to the outcomes you are looking for? The first simulation will still be your baseline, whether you 
announce or not, it all comes down to the defining the metrics you are measuring.

My goal is to raise alertness and awareness. If I tell them they can expect a phishing simulation, they start looking 
for that phishing email. However, that means that they have to inspect every other suspicious email and make judgement 
of risk. You need to same skills to identify the fake phish you need to identify the real phish. I prefer the ‘Gamify’ 
approach to the ‘Gotcha!’ one. I would not only measure the number of people clicking on a phishing link, but also the 
number who report the phish.

Before hearing Jessica Barker’s SPC2018 
keynote<https://events.educause.edu/special-topic-events/webinar/2018/encore-selections-from-the-educause-security-professionals-conference-2018/agenda/keynote-cybersecurity-awareness-is-dead-long-live-cybersecurity-awareness>
 I believed in the ‘surprise simulation’. I no longer believe that is the most effective approach, in particular given 
the openness of a higher education institution. I prefer empowering them (give them the tools to report a phish).

On a side note, when I will announce a phishing simulation campaign via email here at Rhode Island College, the 
simulation will still surprise the majority of faculty/staff.

Read Jessica Barker The Human Nature Of Cybersecurity  
<https://er.educause.edu/articles/2019/5/the-human-nature-of-cybersecurity>

Like you, I am interested to hear form those who have a number of simulation campaigns under their belt.

Henk E. Sonder
Director Information Security
Rhode Island College
600 Mount Pleasant Ave
Providence, RI 02908
Office: 401-456-9577
Email: hsonder () ric edu<mailto:hsonder () ric edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of David Eilken
Sent: Wednesday, June 12, 2019 9:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first?

All,

I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing 
campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about 
getting in trouble for failing)?

I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror 
stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I 
personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the 
infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real 
campaign is active.

Appreciate your input. Hope your enjoying the summer.


Best,
Dave

--
[Image removed by sender. Maricopa Community College District Office logo]
DAVID EILKEN
MARICOPA COMMUNITY COLLEGES
Information Security Officer | ITS
2411 West 14th Street, Tempe, AZ 85281
david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu>
https://www.maricopa.edu/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854380507&sdata=cokfa5Pc6R9MxxET2u0hvPViIdqU%2FD6VobcrRHDMmkw%3D&reserved=0>
O: 480-784-0637
LinkedIn 
<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854390506&sdata=%2FMUeRtONdGZOczGQ5vnLXtjJTK5E5Bg3wjdSXdLT0mg%3D&reserved=0>
 | Twitter 
<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854390506&sdata=JU4KVvwDiUdV7wgH0uVIsOUHoxp4FcVfWeDuRsFYL54%3D&reserved=0>
 | 
Facebook<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854400498&sdata=FSym%2BCYMBqet6SG96xVlpl4qABLhlqAJ0UEg4NLWUMI%3D&reserved=0>