The Golden Phishing Simulation, or how we misinterpret our test results

The Golden Phishing Simulation, or how we misinterpret our test results

Phishing simulations are used to measure the behavior of the users of our organization in the face of deceptions that could culminate in a leak of information or installation of malware, affecting the security of information at both the personal and organizational level.

In this sense, simulations are a very useful tool, as long as we make a correct interpretation of their results.

Golden Phishing Simulation

In many organizations there is often a preconception that every phishing campaign must be “perfect ” meaning that:

  • Is received correctly by all users
  • Arouse the interest of all of them
  • Effectively deceive those with insecure behaviors
  • Not be biased by any factor external to the simulation.

What happens in real life with simulations is that they are more of an art than an exact science, which makes it a utopia to achieve this perfect test.

The reality

The degree of effectiveness of a campaign really depends on many factors, some of them being:

  • The interest aroused in each user by the subject of the e-mail, sender and subject matter of the message received.
  • The persuasion techniques used by the trap, which are very varied, cannot all be in a single email and may have different effects on each person. Each user will be more or less likely to be influenced by the technique used and therefore to fall or not into the simulation.
  • The number of emails that each user has to read in addition to the one corresponding to the simulation.
  • The workload of each user, for example, if he/she is on a busy day or a relaxed working day, or if he/she is on vacation or on a business trip, to mention a few cases.
  • The means by which each user controls his or her e-mail, such as a computer or mobile device.
  • The personal situation of each user, which includes his or her financial situation, sentimental situation, state of mind, etc.
  • The conformity and degree of satisfaction of each user with respect to the organization in which he/she carries out his/her work activity.
  • The degree of attention and awareness of each user.
  • The degree of interaction of each user with his co-workers.
  • The possibility that the campaign is detected by some technological tool and at some point in its life cycle begins to display some kind of warning to users.
  • Etc.

A single phishing simulation will give us a result biased by all of the above factors and more. It is common to want a campaign to be perfect and to faithfully and objectively represent the state of our human security layer, but this does not correspond to reality.

Let’s imagine, considering what has been analyzed so far, if we want to measure a baseline or justify the investment in awareness with a single Phishing simulation, to give an example. We can quickly conclude that this is not the best way to do it.

How to proceed in the face of this reality

We have already concluded that an isolated simulation will not be of much use to us. This is why we must instead carry out a set of simulations within the period we wish to evaluate.

These campaigns should vary in terms of their subject matter, the day and time they are sent, the group of target users, type of deception, degree of personalization, etc.

In this way, we will obtain a set of statistics for each simulation that we can sum up and thus achieve an average result that corresponds more closely to the reality of our organization. This is because each simulation will have been biased by different factors, but in their conjunction, we will be reducing the influence that each factor may have had on the bias and thus achieve a more representative result.

This way of working will also allow us to obtain valuable metrics about our users, such as the scenarios to which they are more sensitive or the schedules in which they are more likely to fall into a deception, just to mention a few.

As an extra point, our users will be more attentive, since we will be sending them simulations frequently enough to get them into the habit and develop the habit of thinking twice before performing an action within their e-mail.

There is life beyond the Phishing Simulation

Given its popularity, Phishing simulation seems to be the only thing to do when it comes to raising awareness.

Nothing could be further from the truth!

Quizzes, surveys, interactive modules, newsletters, educational moments, gamification, are very useful elements in the world of awareness.

People spend their day handling information with different levels of sensitivity in different media and situations, being Phishing only one of the threats they face, although it is one of the most effective and recurrent.

That is why an awareness strategy, in addition to being a continuous effort within organizations, must make use of various tools to cover a greater percentage of all possible fronts.

Nicolás Bruna

Product Manager de SMARTFENSE. Su misión en la empresa es mejorar la plataforma día a día y evangelizar sobre la importancia de la concientización. Ha escrito dos whitepapers y más de 150 artículos sobre gestión del riesgo de la ingeniería social, creación de culturas seguras y cumplimiento de normativas. También es uno de los autores de la Guía de Ransomware de OWASP y el Calculador de costos de Ransomware, entre otros recursos gratuitos.

Leave a Reply