The Why of Security Awareness Phishing Assessments

Phishing assessments can be a powerful tool for your awareness program.  In the past we discussed how you can use phishing assessments for metrics, specifically how to measure what impact you are having in changing employee behavior.   However I'm finding phishing assessments to be even more powerful as a training tool.   The difference with training versus metrics in phishing assessments is that with training you are not measuring your awareness program, you are reinforcing it. For example, with metrics when you send out a phishing email and people fall victim, you do not tell them right away.  If you did they could warn others in your organization, skewing the results.  However, when using phishing assessments for training you do want to inform victims right way, you provide immediate feedback.  I usually do this by directing victims to a webpage explaining  what just happened, and how they could have determined the email was a fake. Some key lessons learned.

1. Do not use targeted phishing emails in your assessments, especially when staring your assessment program.  Instead simply use the same, every day attacks happening on the Internet.  Just look in your email spam folder or search the web for the latest attacks.  Targeted attacks can upset people, they feel that you are trying to take advantage of them.  Remember, we want to reinforce good behavior, not piss people off.
2. Do NOT report the names of the victims every month to management and let people in your organization know this.  That way people know and understand that the assessments will not impact them in any negative way, that they are designed to train and help.  We all fall victim sooner or later.  The only time I would report people to management is if they continually fall victim every month, if they are a high risk to your organization.
3. I also like to send a follow-up to all company staff the day after every phishing assessment.  This way you can explain what happened, how many people fell victim, and what they can learn from the attack.  I find people really appreciate the training, and in many ways you end up having an internal competition who can spot the phishes first, even when they are not your own.

Few organizations I work with use phishing assessments for training, primarily because management is very resistant to the idea.  They get very nervous with anything involving people.  However in almost all the cases of organizations that are actively running a phishing assessment program, they are very popular and successful.  In my next series of blogs I will discuss how you can get management approval, and the different ways you can execute your own phishing assessments.