Educause Security Discussion mailing list archives
Re: Initial Phishing Simulation - Do you tell them first?
From: Dave Broucek <dbroucek () HARPERCOLLEGE EDU>
Date: Thu, 13 Jun 2019 15:27:55 +0000
We had provided awareness that a phishing simulation would occur over a period of time, but not when each area or group was going to receive the phishing simulation email. I had a presentation available explaining why we were conducting the live phishing simulation. I did find that the initial awareness of a live phishing simulation did help bring initial awareness for the prospect of phishing emails in general and helped to provide some strategies to detection. As our live phishing simulation was in progress, or completed for an area, I reached out to as many people in the area to gather information about how they handled the phishing email and their thoughts on the simulation. I was looking at it in terms of “looks bad, do not open”, “looks bad, do not open and let other people know”; along with reporting the phishing email. I communicated with most everyone who did click on the link to get a sense of why they did it and what actions they took afterwards. Also, those that clicked received a brief video session and quiz. Few people refused to complete the follow up session or not admit that they clicked on the link. Ultimately, I believe that providing the initial awareness got people to look out for the phishing simulation email and become a bit more critical. The reinforcement after group’s simulation completed did bring out questions on how to further detect from a fair number of people. Regards, Dave Broucek Mgr. Information Security and IT Business Continuity Harper College From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of David Eilken Sent: Wednesday, June 12, 2019 8:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first? All, I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about getting in trouble for failing)? I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real campaign is active. Appreciate your input. Hope your enjoying the summer. Best, Dave -- [Maricopa Community College District Office logo] DAVID EILKEN MARICOPA COMMUNITY COLLEGES Information Security Officer | ITS 2411 West 14th Street, Tempe, AZ 85281 david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu> https://www.maricopa.edu/<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273611597&sdata=WS4qJSApqffNf4R%2BrLcDxDSt2wTtDTQWPIhcO1RsQ8E%3D&reserved=0> O: 480-784-0637 LinkedIn <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273621610&sdata=38%2F49TFRmA%2FBXcG2nK2jXY3nDQ1R5TS%2FmGbCCIgBZw4%3D&reserved=0> | Twitter <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273631614&sdata=medbs%2FGu%2BBHo176QDra8EHBm%2Fu968BIPVUnEMp%2BN42k%3D&reserved=0> | Facebook<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273631614&sdata=wSx8IgKRcaIsjhofBRIUhcTkO1wcxfw7a0cnJFVnVRU%3D&reserved=0>
Current thread:
- Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?, (continued)
- Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
- Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Richard Siedzik (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 17)