Educause Security Discussion mailing list archives

Re: Initial Phishing Simulation - Do you tell them first?

From: Brian Basgen <brian_basgen () EMERSON EDU>
Date: Thu, 13 Jun 2019 09:45:03 -0400

 One way to consider the question is from the perspective of ethics.
Examples of ethical frameworks that could justify hiding a phishing
campaign are Mohism or Utilitarianism. Moist and utilitarian ethics tend to
be favored by centralized authorities because (generally), the authority
itself is the basis for the ethical justification (the ends justify the
means is one example of consequentialist thinking).

 By contrast, I think it is fair to say that other ethical philosophies
would more likely justify disclosure (e.g. ethics based on virtue or ethics
based on the act itself). The ethics of these paths tend to focus more on
the individual, whether their rights separately, or their duty to the
whole. Hopefully this is helpful but, I suggest consulting your local
campus philosopher for a much better discussion of the subject! Personally,
I'm quite biased. For example, I love Hegel's critique of means and ends.
For me, that is a deconstruction of consequential ethical systems that is
enough to hang my hat on!

 I've been a part of phishing campaigns at three institutions, and at all
three we told people in advance. At Emerson we were able to achieve a
really great approach: our faculty technology committee supported the
campaign and informed faculty assembly about it in advance. Ethical
questions notwithstanding, I'm not speaking to the efficacy of the
approach, which while intertwined I think is a subject onto itself! :)

--------------
*Brian Basgen* (he, him, his <https://www.mypronouns.org>)
Associate Vice President, Information Technology
20 Park Plaza Building
Emerson College | 120 Boylston Street | Boston, MA 02116
IT Helpdesk <http://it.emerson.edu/> | @EmersonIT
<https://twitter.com/EmersonIT>



On Thu, Jun 13, 2019 at 8:49 AM Hart, Michael <mhart20 () msudenver edu> wrote:

I agree with not making this punitive.  I’d focus on gentle suggestions
for our staff and faculty that fall for an internal phish.  More of a
“Whoops” than a “Gotcha!”



I have also contemplated providing some prizes for the first to report
messages from these campaigns.  If we did a Starbucks-themed phish, we
could provide $5 Starbucks gift cards to the first handful of people who
report them to the correct resource on campus.



*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Neal O'Farrell
*Sent:* Thursday, June 13, 2019 6:41 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Initial Phishing Simulation - Do you tell them
first?



I don't come from a university background but have developed many phishing
campaigns over the years.



My preference has always been to make all employees aware in advance that
phishing is being phased in as part of an overall awareness improvement
campaign or culture.



Then start the campaign a couple of weeks after that communication - and
there may have to be a couple of communications first. I find that two
weeks is usually enough time for most employees to forget that a phish test
is on the way, but then remember, when reminded, that they were told it was
coming. A happy medium that doesn't impact baseline testing.



Most humans, especially at work, don't like to feel they've been tricked
or duped, made a simple mistake, made to look foolish etc. When employees
get angry that they're being unfairly (in their minds) tested, it hurts the
entire goal of a culture of vigilance.



Neal.



Neal O'Farrell

Schooled In Security

www.schooledinsecurity.org
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.schooledinsecurity.org&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706818984&sdata=4aqhpDraZqOSk4ri6lJApSJLiXRSY1GvQnj62H8AKgQ%3D&reserved=0>

neal () schooledinsecurity org

(925) 914 0248 (EST)



Security is fundamentally a battle of body parts - between the brain and
the index finger. For the enemy to lose, the brain must win.




On Wed, Jun 12, 2019 at 9:51 PM David Eilken <
david.eilken () domail maricopa edu> wrote:

All,



I have seen some threads on phishing in the past, but have a very specific
question. When you started your phishing campaign/ program, did you notify
your staff / faculty that the stimulations were coming (and not to worry
about getting in trouble for failing)?



I know KnowBe4 suggests not informing the population prior to doing a
baseline. I've heard some pretty bad horror stories about the faculty not
being too happy about getting a test phishing email sprung on them out of
the blue. I personally don't see a huge upside to not letting them know
what the broader campaign is about and how it supports the infosec program.
I would be surprised if it would scewd the results much. We already send
out notifications when a real campaign is active.



Appreciate your input. Hope your enjoying the summer.





Best,

Dave



--

[image: Maricopa Community College District Office logo]

*DAVID EILKEN*

*MARICOPA COMMUNITY COLLEGES*

Information Security Officer | ITS

2411 West 14th Street, Tempe, AZ 85281

david.eilken () domail maricopa edu

https://www.maricopa.edu/
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706818984&sdata=8DsekC5cogQENrkzRrpMKqREjCSGbW%2FOAMmHJr8h6r4%3D&reserved=0>

O: 480-784-0637

LinkedIn
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706828986&sdata=TJ8vS6aztZX3bmRX8Jt3G99sZK%2FzB3aRQ8B8AeTsayI%3D&reserved=0>
| Twitter
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706828986&sdata=ZIQ0f1h3Mp2yPIE83VplRJMKxorA%2FGtMCdGHdhZRf8E%3D&reserved=0>
| Facebook
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706838973&sdata=ylnGT1gym4MYPUcN0CDmSL9JHxVwrmfqW5HWj0349v8%3D&reserved=0>

Current thread:

Re: Initial Phishing Simulation - Do you tell them first?, (continued)
- - Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Jason Fried (Jun 13)
    - Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
  - Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
    - Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Eric Weakland (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Dave Broucek (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Eric Sawyer (Jun 13)
  - Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Richard Siedzik (Jun 13)
  - Re: Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 17)