Continuous Email Phishing Exercises Changes Behaviors

Continuous Email Phishing Exercises Changes Behaviors
January 15, 2016 Arne Defurne

JAN 2016 – More and more organizations are performing email phishing exercises, often on a smaller scale. Organizations send out a phishing email and measure how many people are susceptible for this type of cyber attack. But only a few of them repeat phishing exercises on a regular basis. This is definitely a missed opportunity.

This article explains why repeating phishing exercises is so important for raising awareness.

Measure the ROI of your security awareness program

In security it is not easy to calculate return on investment, as it is difficult to predict the impact of an attack. But by measuring the effect of subsequent phishing exercises on people, through the amount of people that click on a suspicious link, you are able to see the evolution of clicks inside your organization. This is in essence the return on investment of your awareness initiative. The most common objective of a phishing campaign is to raise awareness by decreasing the click rate and increasing the reporting rate.


Evolution of click rate and reported rate in a Krinos Yearly Awareness Campaign

Do we need to phish all our employees?  We often get this question, especially in organizations that hold over 5000 employees. If your objective is purely to measure the level of awareness, you can start phishing a representative sample. But the truth is, you probably want to reach everyone if you are going to raise awareness.

And you want to do it a few times a year in order to see the evolution. What you need to consider, is how many people inside your organization will report the phish via telephone. If this is 10% of your 5000 employees, your help desk ends up dealing with 500 phone calls, just for an awareness exercise. Careful planning and staggering the delivery of emails can help you.

How frequently do you need to reach your people? This depends highly on the awareness level of the organization, but research as well as our own experience indicates that you need to send out at least 4 emails a year in order to substantially decrease the click rate.

Once you reach a certain overall awareness level, you can focus more on specific groups in your organization, as explained in the next point.

Focus on specific groups

You also want to repeat the phish as it allows you to focus on specific groups in your organization that seem more vulnerable to phishing attacks. Results by department or role often reveal, for instance, that sales people are more susceptible to a phishing attack. You will also see, when repeating the phish, that a small number of people will fall victim over and over again. This is what we call repeat offenders. It might be beneficial to focus on that group specifically. Besides vulnerable groups, you might also consider groups that form a bigger risk when they fall victim to a cyber attack. Not everyone needs the same awareness level. You expect someone with administrative privileges or access to direct payments to score a lot better on your phishing exercises. There is just so much intelligence to gain from repeating the phish.

Repetition is needed to change human behavior

And finally, we must not forget that we are dealing with a change in human behavior. Think about it, what we are asking from people is to look at an email differently. While reading emails and clicking on links has become a habit, we are asking people to adapt a new habit. To think before clicking. The only way to really achieve this is by repetition.

We always say “Like computers, people need to be patched from time to time.”

Is it good or bad to repeat the same phishing scenario? We see often see the click rates of certain email scenarios are higher than others. Usually IT related scenario’s, especially if they relate to people’s personal situation, score very well. If you experience a scenario with high click rates (15% or more), you might want to repeat it after a while, as it helps you to train your people not to fall victim to that type of phishing attack. You can even repeat a scenario several times, but adjust it slightly. We usually remove some of the phishing indicators to increase complexity.