hand through computer

I'm a huge fan of phishing assessments, not only are they a great way to measure the impact of your program, but a powerful way to reinforce key behaviors.  However as with any tool, you have to use it correctly.  A common challenge with phishing assessments is how targeted should you make the emails?  Make the assessments too simple, and over time people will get complacent.  Make them too targeted and people not only resent the program, but you destroy trust.  There needs to be a balance.

  1. Start your emails as simple and basic as possible.  Yes, its obviously a phishing assessment, but that is what you want.  Lots of people will still fall victim, but instead of resenting the program they will respect the program.  "Oh yeah, okay I should have figured out that was a phish".  In some ways the first phish or two is more about getting employee buy-in then training.
  2. I always wondered how I would know when to 'pump-up-the-volume' on the emails, but quickly discovered my answer.  When employees start asking you to create more targeted or harder emails.  Yes, they will ask, they want to be challenged.  Once you see the percentage of people who fall victim dropping, once people ask for harder emails, then it is time to create more targeted phishing assessments.
  3. The real challenge becomes how far to go.  I've learned don't go too far too often.  If you repeatedly make your emails too targeted or challenging you do more harm then good. First, people will resent the program, they will feel you are out to get them.  Second, people will no longer believe in the program.  "Yeah, sure you got me but you know what, the email was so targeted there was no way I could have figured it out." Third, people will stop trusting emails from other employees or partners, impacting how your organization operates.

Yes, spear phishing is a risk, for some organizations a big risk.   Just keep in mind, you can do more long harm then good with repeated, highly targeted assessments.  How often and how targeted should your phishing assessments be is something only you and your organization can decide.  If you are not sure how targeted you should make it, I reccommend error on the side of making it too easy as opposed to too hard.  

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.