Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

[Richard Siedzik <rsiedzik () BRYANT EDU>]

I'll share something some colleagues at another institution shared with me. They were early adopters of a commercial 
phishing simulation service but have since moved away. They came to the conclusion the training is more cerebral than 
tactical.  They use what they call their 2nd-gen method...they announce to the community the start of their monthly 
simulation campaign but only send one phish to one random user. They would prefer not to send any but do so only 
because they don't want to be accused of any falsehood. They tell me the "watercooler" talk goes way up as soon as the 
announcement goes out. Call volume to the helpdesk goes way up and people start paying closer attention to everything 
in their inbox, at least for a period. They believe they are achieving similar if not better results without the  
commercial "verdorized security".

BTW - we're still using a commercial service but it has given us something to think about.
R.S.