Phishing Your Employees for Schooling & Security

Your education program isn't complete until you test your users with fake phishing emails.

Imagine this fictional scenario: A student, hoping to become a surgeon, attends hours of medical courses. She never misses a class, always listens, and takes copious notes. Finally, after receiving the years of training necessary, the student receives her medical degree having never taken a test. Would you let this surgeon operate on you?

I sure hope not! Testing is a crucial part of any form of education, for both teachers and students.

That's why I believe your phishing education program isn't complete until you phish your own company's tank. By that, I mean sending fake (but realistic) phishing emails to all your users to see if they fall for them. There are plenty of tools and services that can do this for you. To me, this is the real test of your phishing and user awareness security training.

I'm assuming those of you reading this already have a security education program that includes a phishing curriculum. Some information security experts don't believe user education works. I'm not one of them. There's significant evidence that the right kind of education does work. In fact, for phishing specifically, the Ponemen Institute found that user education had a staggering 50x return on investment. If you aren't already educating your users through training, that number alone should convince you to start. So, let's talk about how you can improve your general security education program, and why phishing your users is such a valuable piece of the puzzle.

  • Practical tests are the best measure of understanding. Most security awareness training I've seen ends with a basic multiple choice test. These tests are only a partial measurement of whether or not the pupil can put that knowledge to use in the real world. Take a driving test, for instance. Sure, there's a written test, but you wouldn't allow a teenager on the road until after he passed the practical one, too.
  • Practical assessment can reveal training gaps. By sending fake phishing emails, you can learn which ones your users fell for most often. Was there a certain type of email that contained a certain "lure" that tricked your employees? Perhaps that might be a missing piece you can add to your next phishing training, or a concept you haven't covered in enough detail.
  • They help employees recognize their own level of understanding. Your fake phishing emails should immediately inform the user when they clicked on a bad link. The goal isn't to shame the user — that's detrimental to education. Rather, the goal is to let the user know they missed something, so they realize that they have a gap in their practical understanding, and don't overestimate their preparedness.
  • They provide another training opportunity. The best training involves repetition. Besides informing a student they've made a mistake, fake phishing emails allow you to immediately share training with the user that specifically addresses the mistake they just made. For instance, say a user clicked a link that obviously went to a domain having nothing to do with the email. After informing the user of their mistake, your phishing link could forward the user to a training page specifically telling them what to look for in URLs. In fact, these fake phishing exercises provide an easy way to regularly reintroduce training materials to your users (at least the ones making mistakes), without having to repeat a training course.
  • Practical tests are more likely to change behaviors. The true measure of security education is if its recipients change their bad behaviors. One reason some security pundits complain that training is ineffective is because of a certain type of user that knows the right behavior but continues to do the wrong one when it's easier. Failing these internal phishing tests regularly should eventually get even the most stubborn users to change their behavior, simply because they know their boss might be watching.  
  • They help you measure the actual value of your training. I believe that security training is effective, but not all training is equal. Phishing your own tank measures your training's efficacy. Send out fake phishing emails before your trainings and record the results. Then send similar emails out after the training and compare the results. Give your organization at least two cycles of training to really understand the long-term trends. (Education takes some time!) However, if you aren't seeing a change in behavior, then perhaps you should cancel that particular training course and identify one that works better. In any case, you're not going to be able to calculate this risk vs. efficacy vs. cost equation unless you actually measure how well your users do against phishing emails — and the only way to do that is to phish your company's tank. 

[Learn more about using the science of habits to transform user behavior during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. For more on other Interop security tracks, or to register click on the live links.]

Related Content:

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5