Educause Security Discussion mailing list archives
Re: Initial Phishing Simulation - Do you tell them first?
From: Rob Milman <rob.milman () SAIT CA>
Date: Thu, 13 Jun 2019 16:13:15 +0000
+1 for your comments Brad. This is the exact approach we took with our campaign running 2+ years now, with nary a complaint. [cid:image004.png@01D18F19.9217E950] Rob Milman Associate Director, Information Security Information Technology Services Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401 (Cell) 403.606.3173 rob.milman () sait ca<mailto:rob.milman () sait ca> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brad Judy Sent: Thursday, June 13, 2019 9:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Thanks Valerie, For those wanting a quick look at the specific point I made on this topic, here’s the excerpt: The community is fully informed of the process that will occur before it happens. Someone once asked me, "Aren't you afraid that telling people what you're doing will skew the results?" This isn't a research paper — we are trying to promote learning. If raising awareness about a self-phishing project is enough to prevent someone from responding to phishing, then you've already won. Ask yourself – is it more important to have a research quality baseline that wasn’t affected by the announcement or to be respectful of your community by treating them like adults who like to be informed. (Yes, I totally bias-worded that sentence to guilt people into my view.) As a side note, if making a single announcement via email imparts measurable behavioral change at your institution, you may work for a magical unicorn school. 😊 Even at Hogwarts, it took howler messages to get the attention of the students. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "Valerie EDU>" <vvogel () EDUCAUSE EDU<mailto:vvogel () EDUCAUSE EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, June 13, 2019 at 8:44 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? In addition to Dr. Jessica Barker’s article on positively influencing behavior (thank you for sharing that resource, Henk!), I wanted to share this blog by Brad Judy about Phishing Your Users: https://er.educause.edu/blogs/2016/4/phishing-your-users. It offers 10 key points to consider when implementing a phishing assessment program. Thank you, Valerie Valerie Vogel Senior Manager, Cybersecurity Program EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | Follow HEISC on LinkedIn<https://www.linkedin.com/showcase/higher-education-information-security-council-heisc-/> | twitter: @HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu> From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "Sonder, Henk E." <hsonder () RIC EDU<mailto:hsonder () RIC EDU>> Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, June 13, 2019 at 5:26 AM To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Dave, Although I cannot speak with authority, as I do not have my own data to back this up, but I am a proponent of making an announcement in general terms. We are still toying with idea of phishing simulation as part of an awareness campaign, but I would announce (by email) that we will be doing phishing simulations during the upcoming semesters and that all or part of the community may be included in these simulations. I would provide them with background information on what to look out in order to identifying phishing emails (fake or real). What is your goal of a simulation and what are your metrics? More so, what is the culture at the Maricopa Community Colleges that leads to the outcomes you are looking for? The first simulation will still be your baseline, whether you announce or not, it all comes down to the defining the metrics you are measuring. My goal is to raise alertness and awareness. If I tell them they can expect a phishing simulation, they start looking for that phishing email. However, that means that they have to inspect every other suspicious email and make judgement of risk. You need to same skills to identify the fake phish you need to identify the real phish. I prefer the ‘Gamify’ approach to the ‘Gotcha!’ one. I would not only measure the number of people clicking on a phishing link, but also the number who report the phish. Before hearing Jessica Barker’s SPC2018 keynote<https://events.educause.edu/special-topic-events/webinar/2018/encore-selections-from-the-educause-security-professionals-conference-2018/agenda/keynote-cybersecurity-awareness-is-dead-long-live-cybersecurity-awareness> I believed in the ‘surprise simulation’. I no longer believe that is the most effective approach, in particular given the openness of a higher education institution. I prefer empowering them (give them the tools to report a phish). On a side note, when I will announce a phishing simulation campaign via email here at Rhode Island College, the simulation will still surprise the majority of faculty/staff. Read Jessica Barker The Human Nature Of Cybersecurity <https://er.educause.edu/articles/2019/5/the-human-nature-of-cybersecurity> Like you, I am interested to hear form those who have a number of simulation campaigns under their belt. Henk E. Sonder Director Information Security Rhode Island College 600 Mount Pleasant Ave Providence, RI 02908 Office: 401-456-9577 Email: hsonder () ric edu<mailto:hsonder () ric edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of David Eilken Sent: Wednesday, June 12, 2019 9:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first? All, I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about getting in trouble for failing)? I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real campaign is active. Appreciate your input. Hope your enjoying the summer. Best, Dave -- [Image removed by sender. Maricopa Community College District Office logo] DAVID EILKEN MARICOPA COMMUNITY COLLEGES Information Security Officer | ITS 2411 West 14th Street, Tempe, AZ 85281 david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu> https://www.maricopa.edu/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854380507&sdata=cokfa5Pc6R9MxxET2u0hvPViIdqU%2FD6VobcrRHDMmkw%3D&reserved=0> O: 480-784-0637 LinkedIn <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854390506&sdata=%2FMUeRtONdGZOczGQ5vnLXtjJTK5E5Bg3wjdSXdLT0mg%3D&reserved=0> | Twitter <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854390506&sdata=JU4KVvwDiUdV7wgH0uVIsOUHoxp4FcVfWeDuRsFYL54%3D&reserved=0> | Facebook<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854400498&sdata=FSym%2BCYMBqet6SG96xVlpl4qABLhlqAJ0UEg4NLWUMI%3D&reserved=0>
Current thread:
- Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 12)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Dennis Bolton (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Sonder, Henk E. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Jason Fried (Jun 13)
- Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
- Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- <Possible follow-ups>
- Re: Initial Phishing Simulation - Do you tell them first? Eric Sawyer (Jun 13)
- Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Richard Siedzik (Jun 13)