Educause Security Discussion mailing list archives

Re: Initial Phishing Simulation - Do you tell them first?

From: Dave Broucek <dbroucek () HARPERCOLLEGE EDU>
Date: Thu, 13 Jun 2019 15:27:55 +0000

We had provided awareness that a phishing simulation would occur over a period of time, but not when each area or group 
was going to receive the phishing simulation email.   I had a presentation available explaining why we were conducting 
the live phishing simulation.  I did find that the initial awareness of a live phishing simulation did help bring 
initial awareness for the prospect of phishing emails in general and helped to provide some strategies to detection.

As our live phishing simulation was in progress, or completed for an area, I reached out to as many people in the area 
to gather information about how they handled the phishing email and their thoughts on the simulation.   I was looking 
at it in terms of “looks bad, do not open”, “looks bad, do not open and let other people know”; along with reporting 
the phishing email.   I communicated with most everyone who did click on the link to get a sense of why they did it and 
what actions they took afterwards.  Also, those that clicked received a brief video session and quiz.   Few people 
refused to complete the follow up session or not admit that they clicked on the link.

Ultimately, I believe that providing the initial awareness got people to look out for the phishing simulation email and 
become a bit more critical.   The reinforcement after group’s simulation completed did bring out questions on how to 
further detect from a fair number of people.


Regards,

Dave Broucek
Mgr. Information Security and IT Business Continuity
Harper College


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of David Eilken
Sent: Wednesday, June 12, 2019 8:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first?

All,

I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing 
campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about 
getting in trouble for failing)?

I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror 
stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I 
personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the 
infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real 
campaign is active.

Appreciate your input. Hope your enjoying the summer.


Best,
Dave

--
[Maricopa Community College District Office logo]
DAVID EILKEN
MARICOPA COMMUNITY COLLEGES
Information Security Officer | ITS
2411 West 14th Street, Tempe, AZ 85281
david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu>
https://www.maricopa.edu/<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273611597&sdata=WS4qJSApqffNf4R%2BrLcDxDSt2wTtDTQWPIhcO1RsQ8E%3D&reserved=0>
O: 480-784-0637
LinkedIn 
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273621610&sdata=38%2F49TFRmA%2FBXcG2nK2jXY3nDQ1R5TS%2FmGbCCIgBZw4%3D&reserved=0>
 | Twitter 
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273631614&sdata=medbs%2FGu%2BBHo176QDra8EHBm%2Fu968BIPVUnEMp%2BN42k%3D&reserved=0>
 | 
Facebook<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7Cdbroucek%40harpercollege.edu%7C21ea8901de2f42098d1308d6efa1bbca%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C0%7C636959875273631614&sdata=wSx8IgKRcaIsjhofBRIUhcTkO1wcxfw7a0cnJFVnVRU%3D&reserved=0>

Current thread:

Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?, (continued)
- - - Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
  - Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
    - Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
    - Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Eric Weakland (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Dave Broucek (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Eric Sawyer (Jun 13)
  - Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Richard Siedzik (Jun 13)
  - Re: Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 17)