Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Initial Phishing Simulation - Do you tell them first?

From: Scott Stoops <sstoops () ASHLAND EDU>
Date: Thu, 13 Jun 2019 07:50:03 -0400
We chose to not notify our faculty/staff/students when we did a phishing
campaign for the reason that we did not want folks to know. We felt that
knowledge would skew the results. However, we had support from leadership
to do this. On the day of the campaign only a few people at the university
knew the campaign was taking place. We also intentionally did not do the
communications we would do normally. Once a statement was made to the
community it came from the president and not from IT.

There were employees who were not happy with how we handled this. Going
forward we would communicate more about the overall goals of awareness
training and evaluation. I would still take the view that we would not tell
people when the phishing test is being done. My hope is that they would not
fall for the attempt because the awareness training is effective rather
than that they were aware that a test was being performed. If we present
the overall campaign as a training tool then we should be able to reduce
anxiety about being "caught".
--------------------------------------------------------------------------------------------------
Scott Stoops, CISSP
Security Analyst Engineer III
Office of Information Technology | 100 Patterson Technology Center
Ashland, OH 44805
(w) 419-289-5405
sstoops () ashland edu


On Wed, Jun 12, 2019 at 9:51 PM David Eilken <
david.eilken () domail maricopa edu> wrote:


All,

I have seen some threads on phishing in the past, but have a very specific
question. When you started your phishing campaign/ program, did you notify
your staff / faculty that the stimulations were coming (and not to worry
about getting in trouble for failing)?

I know KnowBe4 suggests not informing the population prior to doing a
baseline. I've heard some pretty bad horror stories about the faculty not
being too happy about getting a test phishing email sprung on them out of
the blue. I personally don't see a huge upside to not letting them know
what the broader campaign is about and how it supports the infosec program.
I would be surprised if it would scewd the results much. We already send
out notifications when a real campaign is active.

Appreciate your input. Hope your enjoying the summer.


Best,
Dave

--
[image: Maricopa Community College District Office logo]
DAVID EILKEN
MARICOPA COMMUNITY COLLEGES
Information Security Officer | ITS
2411 West 14th Street, Tempe, AZ 85281
david.eilken () domail maricopa edu
https://www.maricopa.edu/
O: 480-784-0637
LinkedIn  <https://linkedin.com/school/maricopa-community-colleges>|
Twitter  <https://twitter.com/mcccd>| Facebook
<https://www.facebook.com/maricopa.edu>
Previous By Date Next
Previous By Thread Next

Current thread: