Re: Faculty Acceptance of Security Awareness Education?

[Matthew Wollenweber <mjw () CYBERWART COM>]

While I was doing pen testing, our phishing service tended to have a 40-60%
success rate for unsophisticated targeted attacks. When we were allowed to
be very sophisticated, the numbers were incredible. In most cases we had
callbacks into the network within 5 minutes. I can't recall ever not getting
in. I also can't recall security being able to entirely block us from the
network once we were in.

The most relevant paper is the one features in this Ars Article:
http://arstechnica.com/security/news/2008/09/study-confirms-users-are-idiots.ars

These papers don't have the exact metrics I might want, but they're worth
reading:
http://www.ceas.cc/2007/papers/paper-34.pdf
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

On Tue, Dec 1, 2009 at 10:46 AM, Steve Romig <romig.1 () osu edu> wrote:

> On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:
>
> > I'm friends with the phishme guys and the metrics they have are 25% of
> > people fall for unsophisticated attacks and 75% fall for sophisticated
> > attacks.
>
> If that's true, then wow.
>
> Does anyone know of any actual studies about response rates to phishing
> attacks and effectiveness of training (or for social engineering attacks in
> general)?  I've got a friend in the consulting business who does phishing
> attacks for the banking industry, and he claims a 7% pre-training response
> rate for semi-sophisticated attacks (some effort made to make the phish look
> credible - attaching names of actual bank execs, use the bank's name in the
> email, no spelling/grammar mistakes, etc.)
>
> 7% is a far cry from even 25%, let alone 75%.  I've heard other numbers
> from other people, and I don't have any grounds to disbelieve any of them
> (and they could all be true in their own contexts, anyway).
>
> --- Steve



--
Matthew Wollenweber
mjw () cyberwart com
240-753-0281