Re: SECURITY Digest - 3 Sep 2014 to 4 Sep 2014 (#2014-144)

[Ben Woelk <fbwis () RIT EDU>]

We are piloting phishing with about 55 users before enlarging our scope. You may want to start with a small group.
Are you going to let “participants” know that phishing will be conducted?

Carnegie Mellon has been doing internal phishing for a while. You might want to reach out to Wiam Younes. (She’s on 
this list.)


Ben Woelk '07
Private Information Management Initiative Project Manager
ISO Program Manager
Information Security Office
Rochester Institute of Technology
ROS 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623
585.475.4122
585.475.7920 fax
ben.woelk () rit edu<mailto:ben.woelk () rit edu>
http://www.rit.edu/security/

Become a fan of RIT Information Security at 
http://rit.facebook.com/RITInfosec<http://rit.facebook.com/profile.php?id=6017464645>

Follow us on Twitter: http://twitter.com/RIT_InfoSec

CONFIDENTIALITY NOTE:  The information transmitted, including attachments, is intended only for the person(s) or entity 
to which it is addressed and may contain confidential and/or privileged material.  Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other 
than the intended recipient is prohibited.  If you received this in error, please contact the sender and destroy any 
copies of this information.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Forker
Sent: Friday, September 05, 2014 9:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SECURITY Digest - 3 Sep 2014 to 4 Sep 2014 (#2014-144)

Peter,
We have sent simulated phishing message to 6000 employees and I have reported results to a board committee.  You will 
undoubtedly receive a lot of hate mail and arguments why this is the wrong approach.  If you stand tall that it is the 
right thing to do and you have support from the top, the VPs and other groups shouldn't cause issues. If you want to 
know more about our approach and results, feel free to contact me directly.
John
------------------
John Forker
Chief Information Security Officer
University of Maine System
(207) 973-3293

Date:    Thu, 4 Sep 2014 16:19:07 +0000
From:    Peter Lundstedt <peter.lundstedt () DRAKE EDU<mailto:peter.lundstedt () DRAKE EDU>>
Subject: Phishing education rollout

To coincide with NCSAM, we are planning on kicking off a 1-year phishing ed=
ucation program.  We're partnering with an external company to execute the =
program and as we prep for the engagement, one thing we keep hearing of is =
the risk of angering the user base, having faculty go to the dean's council=
, administration going to their VPs, and just general bad "press".

We have support from the top to proceed with the program and will communica=
te to the target user base, but I'm wondering what others have done for the=
ir rollouts, and just ways to ensure success in this area.

Peter Lundstedt | Information Security Analyst
Drake Technology Services (DTS) | Drake University