[BreachExchange] Diagnosing employee phishing weaknesses key to improving email security

[Audrey McNeil]

https://www.scmagazine.com/diagnosing-employee-phishing-
weaknesses-key-to-improving-email-security/article/678080/

Administering a phishing test and training without knowing an employee's
weakness is not only ineffective and expensive, but unlikely to teach
workers how to avoid a phishing attack.

Dr. Arun Vishwanath of the University of Buffalo said in a talk at Black
Hat 2017 that before any training is delivered, workers' cybersecurity
skill levels have to be assessed; otherwise, they will be tested on the
wrong topics. To that end, Vishwanath and a team from Buffalo have
developed, and are currently testing, a 40-question test that helps
determine a staffer's weak points when it comes to falling for a malicious
email. The test results are then used to create a personalized training
curriculum that will focus on the staffer's weak points.

“It's a diagnosis,” he said, noting the current system in use is like going
to the doctor and having him throw pills at a patient, hoping that one of
them cures the illness without bothering to ask what is wrong.

The test checks to see if the person's problem lies with a basic
misunderstanding of cybersecurity or if he or she is the type of person who
clicks on links from a trusted source, like Google or Amazon. Once this is
determined, the  IT staff can address the employee's specific problem.

“We don't have a people problem, it's an understanding of people problem,”
Vishwanath said.

In testing this approach Vishwanath has delivered some promising results,
and he believes if implemented, a company could see the click-through rate
on malicious emails drop to under five percent.

This would represent a huge change from the current style of testing and
training that focuses on either intensive classes or having companies phish
their employees and then using either positive or negative reinforcement to
illicit the proper response. Vishwanath cited several studies that showed
these methods do not result in any meaningful change in behavior.

One of the studies conducted by Vishwanath's team took 400 employees from
an unnamed company, trained half of them using the other methods, and left
the remainder as a control group. The end result was that 32 percent of the
trained people clicked on a phishing email when tested, compared to 35
percent of the untrained control group.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170728/b41c1d72/attachment.html>