Educause Security Discussion mailing list archives
Re: Faculty Acceptance of Security Awareness Education?
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Tue, 1 Dec 2009 09:47:51 -0700
I spoke to the president of one of the leading companies doing security/phishing testing for banks and other industries, along with some folks with the FBI. The answer to your question is that no one really knows. Most organizations in the private and many within the public sector who get phished do not report it; ditto for social engineering and other attacks. The issue is more complex than simple statistical response rates. A good attack scenario will test different populations, from those with experience, to novices and across organizational domains. In addition, the tests need to be on-going in reflecting new phishing styles and trends, so that you learn the level of susceptibility as conditions change. Finally, you need to know what is meant by a successful phishing attack, i.e. some companies identify that as a user taking any action in response to the e-mail, while others only count those who go on to actually click on the link. I have opened many e-mails that did not seem like phishing going in, until I saw the entire message. Then I closed and deleted it. So, in one case my actions would have counted me as a victim, while the other would not have. With all of the above in mind, the phishing numbers that I have herd, where the user actually follows through the link are between 3% and 7%, with 7% being well on the high side. Anyway, the reality is that once the attacks are generally successful within an important target population, the difference between 5% and 15% is almost meaningless. The hackers will not need to exploit everyone who responds. They only need a few key accounts and they are off to the races. That is why it is so critical to define what you need to protect, who your most critical population is and what are the likely impacts, before implementing a solution. Then it comes down to reducing exposure, monitoring and, most importantly, staying up to date with the evolving scams. So, in this context, products that promise a solution generally are only a potential part of the solution. Ozzie Paez SSE/SAIC 303-332-5363 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Romig Sent: Tuesday, December 01, 2009 8:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Faculty Acceptance of Security Awareness Education? On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:
I'm friends with the phishme guys and the metrics they have are 25% of people fall for unsophisticated attacks and 75% fall for sophisticated attacks.
If that's true, then wow. Does anyone know of any actual studies about response rates to phishing attacks and effectiveness of training (or for social engineering attacks in general)? I've got a friend in the consulting business who does phishing attacks for the banking industry, and he claims a 7% pre-training response rate for semi-sophisticated attacks (some effort made to make the phish look credible - attaching names of actual bank execs, use the bank's name in the email, no spelling/ grammar mistakes, etc.) 7% is a far cry from even 25%, let alone 75%. I've heard other numbers from other people, and I don't have any grounds to disbelieve any of them (and they could all be true in their own contexts, anyway). --- Steve
Current thread:
- Re: Faculty Acceptance of Security Awareness Education?, (continued)
- Re: Faculty Acceptance of Security Awareness Education? randy marchany (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Eric Case (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Terri Jones (Nov 29)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Delaney, Cherry L. (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Steve Romig (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ken Connelly (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Valdis Kletnieks (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Dec 02)