Re: Initial Phishing Simulation - Do you tell them first?

["Watkins, Jameson" <jmwatkins () PNWU EDU>]

We didn’t tell people directly we were doing it, but we did say there would be a test after the October cybersecurity 
awareness week and the spring cybersecurity compliance training window.

I also follow up with the whole campus after each of the simulations we’ve done with some overall stats, and this last 
time I recorded a 5 minute video of what people would have seen if they clicked on it, and what were the factors they 
should have been looking for. I’ve heard people have considered the simulations to be a good educational tool. It was 
important to craft the ‘whoops’ page with the right tone.

On the negative side of phishing simulations,  I once had a member of our leadership team come to me in tears saying I 
‘got’ her. She had fallen for the iTunes card scam and had bought several hundred dollars’ worth of cards. She thought 
IT had instigated it and was embarrassed, upset, and angry. I was horrified.

Now that we have a few of the simulations under our belt, I’m considering forcing multi-factor authentication for those 
that have fallen multiple times for it – they’re clearly a vector of risk and our education campaigns haven’t worked 
for them.

Jameson Watkins
Chief Information Officer
Pacific Northwest University of Health Sciences
509.249.7719
www.pnwu.edu<http://www.pnwu.edu/>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Neal O'Farrell
Sent: Thursday, June 13, 2019 6:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

About the reward/incentive approach to awareness, we tried something similar a few years ago and it worked very well - 
but not many adopters.

Instead of sending out phishing emails, we sent out quiz questions - three questions per quiz and questions either 
based on common security knowledge or specific policies.

Just for participating - selecting an answer - you earn a point. Choose the correct answer, you get two points etc.

We experimented with all kinds of prizes, from gift cards to recognition. The most popular, by far, is the monthly 
winner got to go home early on a Friday.

An early kind of gamification and not without its challenges (like encouraging employees to click on yet more emails).
But it certainly increased employee buy-in. And again, it's just human nature. The more fun and rewarding an otherwise 
tedious task becomes, the more people are willing to engage.

Some employees even encouraged daily quizzes, a fun way to start the day and another chance to improve your score and 
shorten your week.

Neal.

Neal O'Farrell
Schooled In Security
www.schooledinsecurity.org<http://www.schooledinsecurity.org>
neal () schooledinsecurity org<mailto:neal () schooledinsecurity org>
(925) 914 0248 (EST)

When we say "next generation security," we really mean it!



On Thu, Jun 13, 2019 at 8:49 AM Hart, Michael <mhart20 () msudenver edu<mailto:mhart20 () msudenver edu>> wrote:
I agree with not making this punitive.  I’d focus on gentle suggestions for our staff and faculty that fall for an 
internal phish.  More of a “Whoops” than a “Gotcha!”

I have also contemplated providing some prizes for the first to report messages from these campaigns.  If we did a 
Starbucks-themed phish, we could provide $5 Starbucks gift cards to the first handful of people who report them to the 
correct resource on campus.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Neal O'Farrell
Sent: Thursday, June 13, 2019 6:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?

I don't come from a university background but have developed many phishing campaigns over the years.

My preference has always been to make all employees aware in advance that phishing is being phased in as part of an 
overall awareness improvement campaign or culture.

Then start the campaign a couple of weeks after that communication - and there may have to be a couple of 
communications first. I find that two weeks is usually enough time for most employees to forget that a phish test is on 
the way, but then remember, when reminded, that they were told it was coming. A happy medium that doesn't impact 
baseline testing.

Most humans, especially at work, don't like to feel they've been tricked or duped, made a simple mistake, made to look 
foolish etc. When employees get angry that they're being unfairly (in their minds) tested, it hurts the entire goal of 
a culture of vigilance.

Neal.

Neal O'Farrell
Schooled In Security
www.schooledinsecurity.org<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.schooledinsecurity.org&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706818984&sdata=4aqhpDraZqOSk4ri6lJApSJLiXRSY1GvQnj62H8AKgQ%3D&reserved=0>
neal () schooledinsecurity org<mailto:neal () schooledinsecurity org>
(925) 914 0248 (EST)

Security is fundamentally a battle of body parts - between the brain and the index finger. For the enemy to lose, the 
brain must win.



On Wed, Jun 12, 2019 at 9:51 PM David Eilken <david.eilken () domail maricopa edu<mailto:david.eilken () domail 
maricopa edu>> wrote:
All,

I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing 
campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about 
getting in trouble for failing)?

I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror 
stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I 
personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the 
infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real 
campaign is active.

Appreciate your input. Hope your enjoying the summer.


Best,
Dave

--
[Maricopa Community College District Office logo]
DAVID EILKEN
MARICOPA COMMUNITY COLLEGES
Information Security Officer | ITS
2411 West 14th Street, Tempe, AZ 85281
david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu>
https://www.maricopa.edu/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706818984&sdata=8DsekC5cogQENrkzRrpMKqREjCSGbW%2FOAMmHJr8h6r4%3D&reserved=0>
O: 480-784-0637
LinkedIn 
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706828986&sdata=TJ8vS6aztZX3bmRX8Jt3G99sZK%2FzB3aRQ8B8AeTsayI%3D&reserved=0>
 | Twitter 
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706828986&sdata=ZIQ0f1h3Mp2yPIE83VplRJMKxorA%2FGtMCdGHdhZRf8E%3D&reserved=0>
 | 
Facebook<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706838973&sdata=ylnGT1gym4MYPUcN0CDmSL9JHxVwrmfqW5HWj0349v8%3D&reserved=0>