Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

We started down the path of phish testing, and then dropped it in favor of working on more pressing/effective 
activities such as our campus-wide MFA solution and creating a process for users to report real phishing or suspicious 
messages.  In our initial phish testing though we definitely alerted the targeted groups and ramped up the tests as we 
went.  Test 1 was a an easy one to spot and we told them exactly when it was coming.  Test 2 was a little trickier and 
they knew it was coming within a small timeframe.  Test 3 was trickier yet, and they just knew it was coming at some 
point in the current month.

I think it comes down to your end goals.  Not telling your users will give you a more accurate and scientific baseline 
to possibly measure how well your awareness program is working.  However if your overall goal is to reduce compromised 
accounts via phishing (and related scams) by educating your community to be effective phishing spotters/hunters, I 
would recommend including the community as fully as possible all along the way.  I don’t think you want to risk 
potentially shaming or angering parts of the community in order to have better comparison data.

In the end we have been able to use data on real phishing attacks and account compromises to show that our various 
methods (awareness efforts + MFA + better response processes + better filtering) seem to be working.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Valerie Vogel
Sent: Thursday, June 13, 2019 9:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

In addition to Dr. Jessica Barker’s article on positively influencing behavior (thank you for sharing that resource, 
Henk!), I wanted to share this blog by Brad Judy about Phishing Your Users: 
https://er.educause.edu/blogs/2016/4/phishing-your-users<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fer.educause.edu%2Fblogs%2F2016%2F4%2Fphishing-your-users&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609570197&sdata=VXuYM11%2FW6X2ubpXv%2BEDxdciws8LavRrqB%2FEwXOyx08%3D&reserved=0>.
 It offers 10 key points to consider when implementing a phishing assessment program.

Thank you,
Valerie

Valerie Vogel
Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | Follow HEISC on 
LinkedIn<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609580190&sdata=yZyS1q%2Be8YA1G%2FyT6IPTZFv%2BDo9xr2cWE7fxqTavhd4%3D&reserved=0>
 | twitter: @HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on 
behalf of "Sonder, Henk E." <hsonder () RIC EDU<mailto:hsonder () RIC EDU>>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Thursday, June 13, 2019 at 5:26 AM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

Dave,

Although I cannot speak with authority, as I do not have my own data to back this up, but I am a proponent of making an 
announcement in general terms. We are still toying with idea of phishing simulation as part of an awareness campaign, 
but I would announce (by email) that we will be doing phishing simulations during the upcoming semesters and that all 
or part of the community may be included in these simulations. I would provide them with background information on what 
to look out in order to identifying phishing emails (fake or real).

What is your goal of a simulation and what are your metrics? More so, what is the culture at the Maricopa Community 
Colleges that leads to the outcomes you are looking for? The first simulation will still be your baseline, whether you 
announce or not, it all comes down to the defining the metrics you are measuring.

My goal is to raise alertness and awareness. If I tell them they can expect a phishing simulation, they start looking 
for that phishing email. However, that means that they have to inspect every other suspicious email and make judgement 
of risk. You need to same skills to identify the fake phish you need to identify the real phish. I prefer the ‘Gamify’ 
approach to the ‘Gotcha!’ one. I would not only measure the number of people clicking on a phishing link, but also the 
number who report the phish.

Before hearing Jessica Barker’s SPC2018 
keynote<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fevents.educause.edu%2Fspecial-topic-events%2Fwebinar%2F2018%2Fencore-selections-from-the-educause-security-professionals-conference-2018%2Fagenda%2Fkeynote-cybersecurity-awareness-is-dead-long-live-cybersecurity-awareness&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609580190&sdata=WwAK%2FTz9TFV8KHFOIDkAyt%2FHDrUdSBDxGcRi35JchRg%3D&reserved=0>
 I believed in the ‘surprise simulation’. I no longer believe that is the most effective approach, in particular given 
the openness of a higher education institution. I prefer empowering them (give them the tools to report a phish).

On a side note, when I will announce a phishing simulation campaign via email here at Rhode Island College, the 
simulation will still surprise the majority of faculty/staff.

Read Jessica Barker The Human Nature Of Cybersecurity  
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fer.educause.edu%2Farticles%2F2019%2F5%2Fthe-human-nature-of-cybersecurity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609590182&sdata=aXJ10LHQaqKRQ9bdk8Bokr063KOix%2FxH93MnGr%2BC12o%3D&reserved=0>

Like you, I am interested to hear form those who have a number of simulation campaigns under their belt.

Henk E. Sonder
Director Information Security
Rhode Island College
600 Mount Pleasant Ave
Providence, RI 02908
Office: 401-456-9577
Email: hsonder () ric edu<mailto:hsonder () ric edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of David Eilken
Sent: Wednesday, June 12, 2019 9:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first?

All,

I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing 
campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about 
getting in trouble for failing)?

I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror 
stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I 
personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the 
infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real 
campaign is active.

Appreciate your input. Hope your enjoying the summer.


Best,
Dave

--
[Image removed by sender. Maricopa Community College District Office logo]
DAVID EILKEN
MARICOPA COMMUNITY COLLEGES
Information Security Officer | ITS
2411 West 14th Street, Tempe, AZ 85281
david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu>
https://www.maricopa.edu/
O: 480-784-0637
LinkedIn <https://linkedin.com/school/maricopa-community-colleges> | Twitter <https://twitter.com/mcccd> | 
Facebook<https://www.facebook.com/maricopa.edu>