A couple of years ago, William Perlgrin taught users about phishing...by phishing them. In doing so, the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, created an awareness program that (for the most part) worked.

Gadi Evron, CEO & Founder, Cymmetria, head of Israeli CERT, Chairman, Cyber Threat Intelligence Alliance

October 12, 2009

1 Min Read

A couple of years ago, William Perlgrin taught users about phishing...by phishing them. In doing so, the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, created an awareness program that (for the most part) worked.By sending fake phishing email messages to his own users, Perlgrin was able to measure the risk of a targeted spear phishing attack against his organization. He then spoke to those users who fell for the phishing.

Perlgrin then repeated the experiment, showing a significant decrease in the susceptibility of his users.

In the end, some users were simply unable to learn, but not many.

Interestingly, this experiment was continually conducted, with respect to human psychology.

"This is not a one-shot deal," Pelgrin says in the article mentioned above. "I've got to reinforce that behavioral change to make it permanent." I tell people in the industry about this experiment as much as I can; two years later I am still very excited about it. User education is one of the biggest problems facing a security program, and when one shows to be so highly successful, it needs to be copied and reimplemented as much as possible.

If you are successful with it, then please let me know how it worked out for you.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

About the Author(s)

Gadi Evron

CEO & Founder, Cymmetria, head of Israeli CERT, Chairman, Cyber Threat Intelligence Alliance

Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for his work in Internet security and global incident response, and considered the first botnet expert. Gadi was CISO for the Israeli government Internet operation, founder of the Israeli Government CERT and a research fellow at Tel Aviv University, working on cyber warfare projects. Gadi authored two books on information security, organizes global professional working groups, chairs worldwide conferences, and is a frequent lecturer.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights