Re: Phishing education rollout

[Brad Judy <brad.judy () CU EDU>]

I've written and spoken on this topic several times, and I'll do a quick recap here.  It is absolutely possible to take 
this approach without negative response.  We did it at Emory across tens of thousands of users without problem and 
we're doing a similar process here at U Colorado right now.

Here are some of the key points (overlapping with what others have said) and I will try to rank them in rough order of 
importance in my mind.


*         Such a process is an alternative to traditional awareness that (from my experience) is far more effective.  
We work in higher education and exploring the most effective learning techniques is a core of our business.  As a wise 
person once said: if your behavior hasn't changed, you haven't actually learned anything.  We are engaged in learning 
with the goal of behavioral change.  This process both provides effective learning to that goal and measures to that 
goal.

*         The process *must* be non-punitive.  Falling for a phishing message has no negative impact on one's job and 
no information will be provided to departments that includes specific names or is detailed enough to infer names.  We 
only provided aggregate stats on groups of at least 20 people.  We rejected all requests to provide specific names.

*         The community is fully informed of the process that will occur before it happens.  Someone once asked me 
"aren't you afraid it will skew the results?"  This isn't a research paper, this is learning.  If the heads-up messages 
are enough to prevent someone from responding to phishing, then you've already won.

*         The leadership of the institution (in its various forms from VPs to chancellors to committees) would have a 
chance to hear about the process, ask questions, express concerns and have issues addressed before proceeding.  You can 
call it "management buy-in" if you'd like.

*         The educational landing page (for those who fell for a phish) provides contextual information that is 
actionable.  It cites the items in the specific messages sent out that would be the easiest indicators of a fake email.

*         The process would use content based on real-world phishing of a moderate level.  The goal is not to come up 
with something good enough to fool everyone, the goal is to educate a reasonable person to recognize a typical phish.  
I have said many times that I don't expect anyone to catch an advanced social engineering attack.  Some of the most 
aware people can be fooled by a sophisticated, targeted attack.

*         We would continuously evaluate the process as it went for everything from results towards goal to process 
improvement to community feedback.  If the process did not demonstrate measurable improvement in phishing response 
rates, it would be discontinued.

*         We would analyze the results across demographic data to look for and hot-spots that might need additional 
training.  Was there a department, job class, student major, etc. that demonstrated a notably higher than average 
phishing response rate?  Were there other trends to investigate.

*         We worked with the help desks to inform them about the process and monitor their workloads during the message 
runs.  We throttled the sending of messages to ensure that they were not totally overloaded at any one time.

*         Each run used four or more different messages to both provide variety and allow us to test for response rate 
differences between various popular phishing message themes.  We also tested for differences between phishing messages 
that were totally generic (did not mention the institution name at all) and those that contained basic targeting 
(institution mentioned in a couple places).

You can see an SPC presentation from Emory on the effort (including charts about response rates and improvements) here: 
http://www.educause.edu/sites/default/files/library/presentations/SEC12/SESS07/Educause%2BSEC12%2BPhishme%2BPresentation.pptx

At the end of the day, the Emory project demonstrated success at reducing response rates while receiving essentially 
zero negative feedback across quarterly runs with 40,000 users.

Our current work at CU has gone through a sampling process to establish a baseline response rate that will next go 
through some process improvement work and then follow-up phishing awareness work.

Please let me know if you have any specific questions.

Brad Judy

Director of UIS Security
University Information Systems
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu

[cu-logo_fl]



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter 
Lundstedt
Sent: Thursday, September 04, 2014 10:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Phishing education rollout

To coincide with NCSAM, we are planning on kicking off a 1-year phishing education program.  We're partnering with an 
external company to execute the program and as we prep for the engagement, one thing we keep hearing of is the risk of 
angering the user base, having faculty go to the dean's council, administration going to their VPs, and just general 
bad "press".

We have support from the top to proceed with the program and will communicate to the target user base, but I'm 
wondering what others have done for their rollouts, and just ways to ensure success in this area.

Peter Lundstedt | Information Security Analyst
Drake Technology Services (DTS) | Drake University