Re: Phishing and Security Awareness Training - Faculty

["Sburlea, Stefan" <sburlea () CHAPMAN EDU>]

Great! Thank you, I keep hearing that communication to Management first and end users second is essential to the 
program.



Best Regards,

Stefan Sburlea

Chapman University, IS&T
Information Security Specialist
sburlea () chapman edu
Desk Phone: 714-744-7802
Chapman University I One University Drive I Orange, California 92866
UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Burke, 
Ian R.
Sent: Wednesday, April 13, 2016 10:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty

Hello Stefan,
               Here at Middlebury we also ran a small pilot for what we termed proactive phishing. We were very upfront 
about what we were doing and had very strong feedback. We actually had people asking to be a part of the program. 
Unfortunately, we did not have any more seats in our pilot.

Our communication plan included notification to participant managers as well as to all participants. We also included 
status updates to all participants and institutional management on a monthly basis. I think this went a long way to 
winning and sustaining our support for the program. Our population included a small group of students and they were 
very vocal about running a larger program inclusive of students. A larger project is not on the books just yet but we 
may look into it down the road.

Ian

Ian Burke
Information Security Administrator
Information Security - ITS
http://go.middlebury.edu/infosec
Middlebury College

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Melanie 
Lever
Sent: Wednesday, April 13, 2016 12:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty

Hi Stefan,

We began our phishing campaign in late February and our initial campaign consisted of 1/3 of our faculty/staff.  
Surprisingly we actually received more positive feedback than negative.  We did have a couple of disgruntled users, but 
overall it went well.

I would definitely recommend beginning communications of your plan early on to receive buy in from Administration.  We 
are using Wombat and if you would like to reach out to me for more specific details, please feel free.  I will be 
rolling out the second campaign next month.

Melanie Lever
Information Security Compliance Analyst
University of Nevada, Reno
775.682.5097

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sburlea, 
Stefan
Sent: Tuesday, April 12, 2016 5:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty

Hello Valerie,

Thank you for the resources. Very useful indeed.
I was hoping my peers could share their experiences in practice with how the staff and faculty population received or 
perceived the training.
Also which vendor was used would be useful info.

I am trying to find the list of vendors that will be presenting at Educause Seattle and I had little success.
Are you aware of such a list? (we are trying to connect with them before Educause)


Best Regards,

Stefan Sburlea

Chapman University, IS&T
Information Security Specialist
sburlea () chapman edu<mailto:sburlea () chapman edu>
Desk Phone: 714-744-7802
Chapman University I One University Drive I Orange, California 92866
UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valerie 
Vogel
Sent: Tuesday, April 12, 2016 4:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty

Hi Stefan,

Your question is very timely.

The HEISC Awareness & Training working group just published a short paper on phishing simulation campaigns:
https://library.educause.edu/resources/2016/4/phishing-simulation-programs[library.educause.edu]<https://urldefense.proofpoint.com/v2/url?u=https-3A__library.educause.edu_resources_2016_4_phishing-2Dsimulation-2Dprograms&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=0i4oS94907X03L6CxsO4ILXd8MZ3MOShh_HzGOnAg_Q&e=>

In addition to Brad Judy's guest blog that you mention below, we will soon be publishing a guest blog from Eastern 
Michigan about their phishing efforts. (Likely available in ~2 weeks.)

We also have another guest blog on phishing 
(http://er.educause.edu/blogs/2016/3/april-dont-get-hooked[er.educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__er.educause.edu_blogs_2016_3_april-2Ddont-2Dget-2Dhooked&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=XBFt0YHmgGvm-dwVMEkF1JwMiETlEOUWQN1_-LZvtQo&e=>)
 that is part of our 2016 Campus Security Awareness Campaign 
(http://www.educause.edu/securityawareness[educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_securityawareness&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=4_EgpS3N_ZFpWUA_UuPS7cZk4-akMPQzxPF8ZyEnxvU&e=>).

If you will be at the 2016 Security Professionals Conference in Seattle next week, there will be several opportunities 
to discuss phishing with your peers: a BOF session on Monday, April 18 (8-10 pm), a lunchtime roundtable on Tuesday, 
April 19 (12-1:30 pm), and several sessions on Tuesday with a focus on awareness and training.

I hope you find these resources useful as you continue this discussion with the community.

Kind regards,
Valerie

Valerie Vogel Program Manager

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | 
educause.edu[educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=X-TtkeWi-8fnKfxaDzz-EQYFmTPSmkVrwmvOU3U7JUY&e=>

From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
"Sburlea, Stefan" <sburlea () CHAPMAN EDU<mailto:sburlea () CHAPMAN EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Tuesday, April 12, 2016 at 4:09 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Phishing and Security Awareness Training - Faculty

Hello,

We are looking at starting a phishing/security awareness training.
We are considering something like Wombat Security or GoPhish.

Did you do something similar at your university and if yes, did you receive any negative feedback from your staff and 
faculty?
What solution/vendor did you use?

Searching through Educause archives, I found this great 10 point implementation checklist/guide : 
http://er.educause.edu/blogs/2016/4/phishing-your-users[er.educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__er.educause.edu_blogs_2016_4_phishing-2Dyour-2Dusers&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=BCU3LXYN0B7-3lx-98zQbNWc2x6LsPdAZvKkn7UB-kc&e=>

Any insight is greately appreciated.


Thank you,

Stefan Sburlea

Chapman University, IS&T
Information Security Specialist
sburlea () chapman edu<mailto:sburlea () chapman edu>
Desk Phone: 714-744-7802
Chapman University I One University Drive I Orange, California 92866
UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!