Re: Phishing Simulation - Punitive Escalation

[Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>]

Depending on your organization's culture, there are probably people who are intentionally clicking on them, knowing 
that it will annoy you :-)  Or, maybe they think that they're supposed to click on them once they correctly identify it 
as a simulation.  Or, maybe they're using a poorly designed email client that still loads remote content automatically 
(you can test various clients using https://www.emailprivacytester.com/).  Or, maybe there is anti-malware protection 
in the loop that is loading remote content without user interaction (this is becoming increasingly common)

I think that too many organizations have been sold on the idea that the phishing simulations are a vehicle for training 
and compliance.

In my opinion, phishing simulations are ideal for highly controlled measurements of your organization's susceptibility 
to the phishing risk, over time, as a way to determine if the other factors (phishing awareness/training, emerging 
threats, anti-spam protection) within the equation are trending in the direction you desire.  It's tricky to do it 
right, since you'll need to craft messages that are very similar to the type of threats your users will likely see in 
the wild, and then you'll need to do something like send the same message repeatedly over time to different sets of 
users with the same demographics in a statistically significant fashion.

My opinion on this matter is partially derived from conversations with various people at M3AAWG, including people who 
work for vendors that sell this type of phishing simulation service.

Jesse Thompson
University of Wisconsin-Madison

On 5/18/20 9:51 AM, Gomez, Joshua wrote:
> Hello
>
> I wanted to ask what people are doing for a "path to escalation" for staff who repeatedly fail simulations or cause 
> incidents?
>
>  
>
> _For Example_
>
> First Failure -> Remedial Training
>
> Second Failure -> Remedial Training + Supervisor Notification
>
> Third Failure –> Remedial Training + Sit down with person and department head
>
> Etc.
>
>  
>
> I’m just trying to get some ideas to bring to our Governance committee.  We have not been trying to be punitive and 
> haven’t needed to do much, but we are starting to see repeat offenders that need coaching for behavioral changes.
>
>  
>
> Thanks in Advance,
>
>  
>
> Josh
>
>  
>
> *Joshua Gomez*| *Analyst, Information Security*
>
> Information Technology Solutions
>
> _ _
>
>  
>
>  
>
>  
>
>  
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community <https://www.educause.edu/community>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community