Re: Faculty Acceptance of Security Awareness Education?

[Ozzie Paez <ozpaez () SPRYNET COM>]

I spoke to the president of one of the leading companies doing
security/phishing testing for banks and other industries, along with some
folks with the FBI.  The answer to your question is that no one really
knows.  Most organizations in the private and many within the public sector
who get phished do not report it; ditto for social engineering and other
attacks.  The issue is more complex than simple statistical response rates.
A good attack scenario will test different populations, from those with
experience, to novices and across organizational domains.  In addition, the
tests need to be on-going in reflecting new phishing styles and trends, so
that you learn the level of susceptibility as conditions change.  Finally,
you need to know what is meant by a successful phishing attack, i.e. some
companies identify that as a user taking any action in response to the
e-mail, while others only count those who go on to actually click on the
link.  I have opened many e-mails that did not seem like phishing going in,
until I saw the entire message.  Then I closed and deleted it.  So, in one
case my actions would have counted me as a victim, while the other would not
have.  With all of the above in mind, the phishing numbers that I have herd,
where the user actually follows through the link are between 3% and 7%, with
7% being well on the high side.

Anyway, the reality is that once the attacks are generally successful within
an important target population, the difference between 5% and 15% is almost
meaningless.  The hackers will not need to exploit everyone who responds.
They only need a few key accounts and they are off to the races.  That is
why it is so critical to define what you need to protect, who your most
critical population is and what are the likely impacts, before implementing
a solution.  Then it comes down to reducing exposure, monitoring and, most
importantly, staying up to date with the evolving scams.  So, in this
context, products that promise a solution generally are only a potential
part of the solution.

Ozzie Paez
SSE/SAIC
303-332-5363

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Romig
Sent: Tuesday, December 01, 2009 8:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty Acceptance of Security Awareness Education?

On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:
> I'm friends with the phishme guys and the metrics they have are 25%
> of people fall for unsophisticated attacks and 75% fall for
> sophisticated attacks.

If that's true, then wow.

Does anyone know of any actual studies about response rates to
phishing attacks and effectiveness of training (or for social
engineering attacks in general)?  I've got a friend in the consulting
business who does phishing attacks for the banking industry, and he
claims a 7% pre-training response rate for semi-sophisticated attacks
(some effort made to make the phish look credible - attaching names of
actual bank execs, use the bank's name in the email, no spelling/
grammar mistakes, etc.)

7% is a far cry from even 25%, let alone 75%.  I've heard other
numbers from other people, and I don't have any grounds to disbelieve
any of them (and they could all be true in their own contexts, anyway).

--- Steve