Educause Security Discussion mailing list archives
Re: Phishing education rollout
From: Brad Judy <brad.judy () CU EDU>
Date: Fri, 5 Sep 2014 14:46:20 +0000
I've written and spoken on this topic several times, and I'll do a quick recap here. It is absolutely possible to take this approach without negative response. We did it at Emory across tens of thousands of users without problem and we're doing a similar process here at U Colorado right now. Here are some of the key points (overlapping with what others have said) and I will try to rank them in rough order of importance in my mind. * Such a process is an alternative to traditional awareness that (from my experience) is far more effective. We work in higher education and exploring the most effective learning techniques is a core of our business. As a wise person once said: if your behavior hasn't changed, you haven't actually learned anything. We are engaged in learning with the goal of behavioral change. This process both provides effective learning to that goal and measures to that goal. * The process *must* be non-punitive. Falling for a phishing message has no negative impact on one's job and no information will be provided to departments that includes specific names or is detailed enough to infer names. We only provided aggregate stats on groups of at least 20 people. We rejected all requests to provide specific names. * The community is fully informed of the process that will occur before it happens. Someone once asked me "aren't you afraid it will skew the results?" This isn't a research paper, this is learning. If the heads-up messages are enough to prevent someone from responding to phishing, then you've already won. * The leadership of the institution (in its various forms from VPs to chancellors to committees) would have a chance to hear about the process, ask questions, express concerns and have issues addressed before proceeding. You can call it "management buy-in" if you'd like. * The educational landing page (for those who fell for a phish) provides contextual information that is actionable. It cites the items in the specific messages sent out that would be the easiest indicators of a fake email. * The process would use content based on real-world phishing of a moderate level. The goal is not to come up with something good enough to fool everyone, the goal is to educate a reasonable person to recognize a typical phish. I have said many times that I don't expect anyone to catch an advanced social engineering attack. Some of the most aware people can be fooled by a sophisticated, targeted attack. * We would continuously evaluate the process as it went for everything from results towards goal to process improvement to community feedback. If the process did not demonstrate measurable improvement in phishing response rates, it would be discontinued. * We would analyze the results across demographic data to look for and hot-spots that might need additional training. Was there a department, job class, student major, etc. that demonstrated a notably higher than average phishing response rate? Were there other trends to investigate. * We worked with the help desks to inform them about the process and monitor their workloads during the message runs. We throttled the sending of messages to ensure that they were not totally overloaded at any one time. * Each run used four or more different messages to both provide variety and allow us to test for response rate differences between various popular phishing message themes. We also tested for differences between phishing messages that were totally generic (did not mention the institution name at all) and those that contained basic targeting (institution mentioned in a couple places). You can see an SPC presentation from Emory on the effort (including charts about response rates and improvements) here: http://www.educause.edu/sites/default/files/library/presentations/SEC12/SESS07/Educause%2BSEC12%2BPhishme%2BPresentation.pptx At the end of the day, the Emory project demonstrated success at reducing response rates while receiving essentially zero negative feedback across quarterly runs with 40,000 users. Our current work at CU has gone through a sampling process to establish a baseline response rate that will next go through some process improvement work and then follow-up phishing awareness work. Please let me know if you have any specific questions. Brad Judy Director of UIS Security University Information Systems University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu [cu-logo_fl] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Lundstedt Sent: Thursday, September 04, 2014 10:19 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Phishing education rollout To coincide with NCSAM, we are planning on kicking off a 1-year phishing education program. We're partnering with an external company to execute the program and as we prep for the engagement, one thing we keep hearing of is the risk of angering the user base, having faculty go to the dean's council, administration going to their VPs, and just general bad "press". We have support from the top to proceed with the program and will communicate to the target user base, but I'm wondering what others have done for their rollouts, and just ways to ensure success in this area. Peter Lundstedt | Information Security Analyst Drake Technology Services (DTS) | Drake University
Current thread:
- Phishing education rollout Peter Lundstedt (Sep 04)
- Re: Phishing education rollout Paul Chauvet (Sep 05)
- Re: Phishing education rollout Brad Judy (Sep 05)