Educause Security Discussion mailing list archives
Re: Phishing Simulation - Punitive Escalation
From: Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Mon, 18 May 2020 15:44:33 -0500
Depending on your organization's culture, there are probably people who are intentionally clicking on them, knowing that it will annoy you :-) Or, maybe they think that they're supposed to click on them once they correctly identify it as a simulation. Or, maybe they're using a poorly designed email client that still loads remote content automatically (you can test various clients using https://www.emailprivacytester.com/). Or, maybe there is anti-malware protection in the loop that is loading remote content without user interaction (this is becoming increasingly common) I think that too many organizations have been sold on the idea that the phishing simulations are a vehicle for training and compliance. In my opinion, phishing simulations are ideal for highly controlled measurements of your organization's susceptibility to the phishing risk, over time, as a way to determine if the other factors (phishing awareness/training, emerging threats, anti-spam protection) within the equation are trending in the direction you desire. It's tricky to do it right, since you'll need to craft messages that are very similar to the type of threats your users will likely see in the wild, and then you'll need to do something like send the same message repeatedly over time to different sets of users with the same demographics in a statistically significant fashion. My opinion on this matter is partially derived from conversations with various people at M3AAWG, including people who work for vendors that sell this type of phishing simulation service. Jesse Thompson University of Wisconsin-Madison On 5/18/20 9:51 AM, Gomez, Joshua wrote:
Hello I wanted to ask what people are doing for a "path to escalation" for staff who repeatedly fail simulations or cause incidents? _For Example_ First Failure -> Remedial Training Second Failure -> Remedial Training + Supervisor Notification Third Failure –> Remedial Training + Sit down with person and department head Etc. I’m just trying to get some ideas to bring to our Governance committee. We have not been trying to be punitive and haven’t needed to do much, but we are starting to see repeat offenders that need coaching for behavioral changes. Thanks in Advance, Josh *Joshua Gomez*| *Analyst, Information Security* Information Technology Solutions _ _ ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://www.educause.edu/community>
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Phishing Simulation - Punitive Escalation Gomez, Joshua (May 18)
- Re: Phishing Simulation - Punitive Escalation Ken Connelly (May 18)
- Re: Phishing Simulation - Punitive Escalation Frank Barton (May 18)
- Re: Phishing Simulation - Punitive Escalation Ullman, Catherine (May 18)
- Re: Phishing Simulation - Punitive Escalation Scantlin, Aaron J. (May 18)
- Re: [EXTERNAL] Re: [SECURITY] Phishing Simulation - Punitive Escalation Hart, Michael (May 18)
- Re: Phishing Simulation - Punitive Escalation Frank Barton (May 18)
- Re: Phishing Simulation - Punitive Escalation Jesse Thompson (May 18)
- <Possible follow-ups>
- Re: Phishing Simulation - Punitive Escalation Czarapata, Paul (KCTCS) (May 18)
- Re: Phishing Simulation - Punitive Escalation Rose, Henry (May 18)
- Re: Phishing Simulation - Punitive Escalation Oliver Betts-Richards (May 19)
- Re: Phishing Simulation - Punitive Escalation Ken Connelly (May 18)