One of the most exciting areas for me in the world of security awareness is metrics, we are getting better and better at measuring change in human behavior. One of the most common methods is phishing assessments, as not only are they easy to do but they address one of the most common human attack vectors. A common question I'm asked with metrics is should organizations share the results of who fell victim, perhaps a 'wall of shame'. Absolutely not, in many cases you do not even want to share the names with senior management. Here are several reasons why.
- First of all, everyone will eventually fall victim to such an assessment, even your or I. We all have a bad day, weren't thinking or were in a hurry. You don't want to penalize someone for a slip. Make them aware and have them learn from the event, but don't penalize them. If you find me at a conference one day, ask me to tell you the story on how I fell victim to one of my own phishing assessments that I sent out!
- If you do report to management the names of people who fell victim, employees will rightfully resent the program. They will feel that by reporting their names you are negatively impacting their career. Instead, what I have found works best is simply let the victim know they fell victim and that only a few people on the security team will know. Reinforce that the training is for their benefit.
- Evil things happen when you share names, bad karma will get you sooner or later. Many years ago when I was but a young padawan doing one of my first security assessments, we were providing the assessment results to the Board of Directors. One of the things we listed was whose passwords we had cracked during the assessment process. As this was just the Board of Directors, we listed both the names and their passwords of those who failed. What could possibly go wrong you ask? Well, alot. You see, we cracked the password of one of the directors, so his name was up there on the list. That was not the bad part, the bad part was the password itself. It was his secretary's name, whom he was having an affair with. Did I mention bad karma when releasing names?
So what are you supposed to release? Numbers, just focus on numbers. You can release numbers by department, by office, by country - whatever works best for you. The only time I recommend sharing a name of someone who fell victim is if they are a repeat offender. In other words, they have demonstrated an inability to change behavior and represent a high risk to the organization. Then report them to management and decide what further actions to take. One the flip side, be sure to release names of people who do good, make heros out of people who see an attack and stop/report it.