Security awareness assessments are one of the most common metrics used to measure the security of employees.  Usually such assessments replicate common phishing or email based attacks.  The reason these types of assessments are so popular is they are easy to reproduce and track, a key requirement for good metrics.  The assessment works by first deciding on a common email attack to replicate.  This email is then sent to a percentage of the employees and the results are tracked.  Each email has a unique identification number tied to it, so you can determine which employees opened the email, which ones click on the links, and in some cases which employees actually submitted information. One of the key decisions an organization needs to make is exactly what type of attack they want to replicate, specifically do they want a common, generic phishing attack or something more customized, replicating a spear phishing attack.  This decision is more important then you think, since we are dealing with humans these assessments can go wrong, as the Air Force found out recently when they replicated a phishing attack calling for extras for a movie.  My preference is to go with simple or generic emails like the example you see below, not something customized or targeted.  On average 15% of employees fall victim to the email you see below (they can't resist 'click here').

Since security teams know their organization so well, it is tempting for them to create highly customized spear phishing attacks that will fool many employees.  If your goal is simply metrics (and not a penetration test), there are several reasons why I feel why customized attacks are the wrong approach.

  • First, the goal of an awareness assessment is to determine the baseline level of awareness.  Of course a highly customized spear phishing attack is going to have many victims, we all know that.  We need to focus on the basics first.  If your employees are clicking on simple emails like the one you see above, you have bigger problems you need to solve first.
  • Another problem with highly targeted awareness assessments is you can destroy the trust and faith of your employees.  I know of a recent assessment in a health care organization where the security team used highly proprietary information, replicating internal communications that only  employees would know about.  Of course a huge percentage of employees fell victim, only to be frustrated and lose trust of the organization and security team because they felt they were unfairly taken advantage of.
  • Finally, I find you get far great management support if you go with the generic emails in your awareness assessment.  If you launch a highly customized awareness assessment, management will simply say of course so many people  fell victim.  However, you will have far greater management impact if you demonstrate how many people fell victim to a generic email or a very basic social engineering attack.

Obviously this is a generalization, every organization has a different culture and different requirements. What has or has not worked well for you with awareness assessments?

PS:  I found a great site just as I finished this blog, called This is an excellent site that details how to do advanced or customized social engineering attacks, primarily for penetration testing.  They even created a framework to work with Metasploit.  I highly recommend you check out the site.