To Raise User Security Awareness — Don’t Coddle Them

Why do people click on hyperlinks from unknown senders? This is a constant source of mystery and consternation for many security professionals.

Research indicates that many people rely on habit when interacting with emails,[1] and habits typically involve a three-step process: a trigger that initiates the habitual behavior; a routine consisting of a series of actions that that comprise the habit, and finally, an outcome which provides feedback about whether the habitual behavior achieved the expected results.[2]

When a user opens an email, they must decide whether that email is safe or malicious (the trigger); choose a course of action (the routine), and then evaluate the outcome (the feedback). Understanding user interaction with email through the prism of habit loops can lead to better training and intervention strategies. Phishing simulations, for example, are most effective when they provide immediate feedback,[3] because this reinforces the association between a user’s trigger points (potentially malicious email indicators) and the actions taken by the user.

Interviews that I have personally conducted with users about how they identify potentially malicious emails[4] suggest that many people rely on mental templates of what they expect a phishing email to look like. Cognitive psychologists label these mental representations schemas,[5] and when users encounter phishing emails — either real or simulated — their schemas are being trained and updated. When I ask users how they spot phishing emails, I typically get descriptions of advanced fee scams (aka 419 scams). This suggests that by constantly sending phishing simulations that are relatively easy to identify, security departments may be training users to recognize certain types of phishing emails, but not those that take a more sophisticated approach. Paradoxically, this might make them more susceptible to spear phishing attacks or business email compromise (BEC) scams that don’t fit their narrowly defined template.

What Makes a Phishing Email More Difficult to Spot?

But what makes some types of phishing emails more difficult to spot than others? To answer this, the National Institute of Standards and Training (NIST) is currently developing an objective metric, known as the Phish Scale,[6] for gauging just how difficult a simulated phishing email would be for a typical user to identify.

Phish Scale rates phishing email detectability according to two different sets of attributes. The first, known as “cue presence,” refers to visual cues that the recipient might notice, leading her to conclude that an email is potentially malicious. Examples of such cues include spelling or grammatical errors, and mismatches in the email sender field or with the URL.

The second set of attributes, known as “premise alignment,” describes the extent to which the message aligns with the intended victim’s job or function. In other words, how closely does the message match the target’s schema for a legitimate email? A phishing email that inquires about a job opening and includes an attached resume, for example, will have greater premise alignment with a human resources employee than it would with someone in the marketing department. Phish Scale gauges the difficulty of detecting a phishing email based on both its cue presence and its premise alignment.  

Security departments are often under pressure to validate their investments in various products and services , and one way to do this is to show reduced click-rates in simulated phishing attacks. But when the simulations all have a low difficulty rating, this can lead to a false sense of security. Including more demanding simulations, per measures such as the NIST Phish Scale metric, can provide a truer read on the employee population’s actual level of security awareness.  

Making Phishing Exercises More Effective

Here are three ways that cybersecurity awareness professionals can make their phishing training exercises more effective.

1. Use “de-fanged” versions of real phishing emails to train employees. Training users using recent phishing emails will help improve their ability to spot the attacks that are currently being employed against your organization.

2. Add difficult to detect spear phishing emails to your training mix. Improving cognitive ability is like conditioning a muscle, and one way to strengthen it is to occasionally push it to its limits. By including phishing emails in their awareness campaigns that are more difficult to spot, emails, security departments can expand their users’ schemas for what is possible with phishing.

A note of caution here: Sending out too many of these emails, or failing to adequately train people in how to spot them, can backfire, leading employees to conclude that detection is futile and they might as well give up trying. The most effective way to train users to identify more subtle phishing attacks is to show them how they could have been detected immediately following the exercise.

3. Track which emails are most effective against which groups of employees. You can enhance and personalize your training if you take the time to figure out which test emails were most effective against which employees by job function and department. Knowing this lets you tailor your awareness campaigns, so that groups of users who are particularly vulnerable to certain flavors of phishing attacks can be trained to recognize   Especially for highly targeted groups like the accounting department and executive management, this approach can pay multiple dividends.

The Bottom Line

Don’t undertrain employees by only sending them phishing emails that are relatively easy to spot. A more effective approach is to leaven your training exercises with emails that are more likely to dupe their recipients, jarring them into greater awareness of the many different types of phishing attacks.

[1] “Going Spear Phishing: Exploring Embedded Training and Awareness,” IEEE Xplore

[2] “The Power of Habit: Why We Do What We Do in Life and Business,” Amazon

[3] “Don’t click: towards an effective anti-phishing training. A comparative literature review,” Springer Link

[4] “Characteristics of Repeat Clickers and Protective Stewards,” Figueroa, A., Hawkins, S. & Canham, M. (Manuscript in preparation)

[5] “A framework for representing knowledge,” MIT Libraries

[6] “Categorizing human phishing difficulty: A Phish Scale,” Journal of Cybersecurity