Re: Initial Phishing Simulation - Do you tell them first?

[Rob Milman <rob.milman () SAIT CA>]

+1 for your comments Brad. This is the exact approach we took with our campaign running 2+ years now, with nary a 
complaint.


[cid:image004.png@01D18F19.9217E950]
Rob Milman
Associate Director, Information Security
Information Technology Services

Southern Alberta Institute of Technology
EH Crandell Building, GA 214
1301 – 16 Avenue NW, Calgary AB, T2M 0L4

(Office) 403.774.5401  (Cell) 403.606.3173
rob.milman () sait ca<mailto:rob.milman () sait ca>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brad Judy
Sent: Thursday, June 13, 2019 9:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

Thanks Valerie,

For those wanting a quick look at the specific point I made on this topic, here’s the excerpt:

The community is fully informed of the process that will occur before it happens. Someone once asked me, "Aren't you 
afraid that telling people what you're doing will skew the results?" This isn't a research paper — we are trying to 
promote learning. If raising awareness about a self-phishing project is enough to prevent someone from responding to 
phishing, then you've already won.

Ask yourself – is it more important to have a research quality baseline that wasn’t affected by the announcement or to 
be respectful of your community by treating them like adults who like to be informed. (Yes, I totally bias-worded that 
sentence to guilt people into my view.)

As a side note, if making a single announcement via email imparts measurable behavioral change at your institution, you 
may work for a magical unicorn school. 😊 Even at Hogwarts, it took howler messages to get the attention of the students.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
"Valerie EDU>" <vvogel () EDUCAUSE EDU<mailto:vvogel () EDUCAUSE EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Thursday, June 13, 2019 at 8:44 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

In addition to Dr. Jessica Barker’s article on positively influencing behavior (thank you for sharing that resource, 
Henk!), I wanted to share this blog by Brad Judy about Phishing Your Users: 
https://er.educause.edu/blogs/2016/4/phishing-your-users. It offers 10 key points to consider when implementing a 
phishing assessment program.

Thank you,
Valerie

Valerie Vogel
Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | Follow HEISC on 
LinkedIn<https://www.linkedin.com/showcase/higher-education-information-security-council-heisc-/> | twitter: 
@HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on 
behalf of "Sonder, Henk E." <hsonder () RIC EDU<mailto:hsonder () RIC EDU>>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Thursday, June 13, 2019 at 5:26 AM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

Dave,

Although I cannot speak with authority, as I do not have my own data to back this up, but I am a proponent of making an 
announcement in general terms. We are still toying with idea of phishing simulation as part of an awareness campaign, 
but I would announce (by email) that we will be doing phishing simulations during the upcoming semesters and that all 
or part of the community may be included in these simulations. I would provide them with background information on what 
to look out in order to identifying phishing emails (fake or real).

What is your goal of a simulation and what are your metrics? More so, what is the culture at the Maricopa Community 
Colleges that leads to the outcomes you are looking for? The first simulation will still be your baseline, whether you 
announce or not, it all comes down to the defining the metrics you are measuring.

My goal is to raise alertness and awareness. If I tell them they can expect a phishing simulation, they start looking 
for that phishing email. However, that means that they have to inspect every other suspicious email and make judgement 
of risk. You need to same skills to identify the fake phish you need to identify the real phish. I prefer the ‘Gamify’ 
approach to the ‘Gotcha!’ one. I would not only measure the number of people clicking on a phishing link, but also the 
number who report the phish.

Before hearing Jessica Barker’s SPC2018 
keynote<https://events.educause.edu/special-topic-events/webinar/2018/encore-selections-from-the-educause-security-professionals-conference-2018/agenda/keynote-cybersecurity-awareness-is-dead-long-live-cybersecurity-awareness>
 I believed in the ‘surprise simulation’. I no longer believe that is the most effective approach, in particular given 
the openness of a higher education institution. I prefer empowering them (give them the tools to report a phish).

On a side note, when I will announce a phishing simulation campaign via email here at Rhode Island College, the 
simulation will still surprise the majority of faculty/staff.

Read Jessica Barker The Human Nature Of Cybersecurity  
<https://er.educause.edu/articles/2019/5/the-human-nature-of-cybersecurity>

Like you, I am interested to hear form those who have a number of simulation campaigns under their belt.

Henk E. Sonder
Director Information Security
Rhode Island College
600 Mount Pleasant Ave
Providence, RI 02908
Office: 401-456-9577
Email: hsonder () ric edu<mailto:hsonder () ric edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of David Eilken
Sent: Wednesday, June 12, 2019 9:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first?

All,

I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing 
campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about 
getting in trouble for failing)?

I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror 
stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I 
personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the 
infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real 
campaign is active.

Appreciate your input. Hope your enjoying the summer.


Best,
Dave

--
[Image removed by sender. Maricopa Community College District Office logo]
DAVID EILKEN
MARICOPA COMMUNITY COLLEGES
Information Security Officer | ITS
2411 West 14th Street, Tempe, AZ 85281
david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu>
https://www.maricopa.edu/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854380507&sdata=cokfa5Pc6R9MxxET2u0hvPViIdqU%2FD6VobcrRHDMmkw%3D&reserved=0>
O: 480-784-0637
LinkedIn 
<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854390506&sdata=%2FMUeRtONdGZOczGQ5vnLXtjJTK5E5Bg3wjdSXdLT0mg%3D&reserved=0>
 | Twitter 
<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854390506&sdata=JU4KVvwDiUdV7wgH0uVIsOUHoxp4FcVfWeDuRsFYL54%3D&reserved=0>
 | 
Facebook<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7C%7Ccd18e4d45ce84822c1b408d6effa5850%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636960255854400498&sdata=FSym%2BCYMBqet6SG96xVlpl4qABLhlqAJ0UEg4NLWUMI%3D&reserved=0>