Phishing Your Users for Better Security

A couple of years ago, William Perlgrin taught users about phishing...by phishing them. In doing so, the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, created an awareness program that (for the most part) worked.By sending fake phishing email messages to his own users, Perlgrin was able to measure the risk of a targeted spear phishing attack against his organization. He then spoke to those users who fell for the phishing.

Perlgrin then repeated the experiment, showing a significant decrease in the susceptibility of his users.

In the end, some users were simply unable to learn, but not many.

Interestingly, this experiment was continually conducted, with respect to human psychology.

"This is not a one-shot deal," Pelgrin says in the article mentioned above. "I've got to reinforce that behavioral change to make it permanent."

I tell people in the industry about this experiment as much as I can; two years later I am still very excited about it. User education is one of the biggest problems facing a security program, and when one shows to be so highly successful, it needs to be copied and reimplemented as much as possible.

If you are successful with it, then please let me know how it worked out for you.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.