While rewards are important, for Berlin's organization, tracking and measuring progress is the main concern. After only a short time of operation, the stats from her program are impressive. The number of successful attacks in the training program have continued to fall steadily since the program officially started.
In January: 985 emails were sent to employees; and out of those, 53 percent of the targets actually clicked the Phishing link. Of those who clicked the link, 36 percent of them entered credentials and 11 percent of all the targets reported the attack.
In February: 893 emails were sent out, resulting in a click rate of 47 percent. Again, of those that clicked, 11 percent of them gave out credentials and 11 percent reported it.
The test in March didn't go as well. There were 1,095 emails were sent, but only three percent of the targets clicked the link. Of those that clicked, none of them entered credentials. In fact, everyone who clicked the link in March also reported the email.
"In March I think the reason that I had such a low rate of participation in general was due to the all around subject/theme of the Phish," Berlin said, when asked about the stats.
"We had a large push for the March of Dimes that month and it seems like every other email was about another donation opportunity, or bake sale of some sort. We think that the majority of them were just deleted along with the rest of them, or filtered out as noise."
April was another interesting month. There was no opportunity to enter credentials this time around, as the goal was to target clicks. Anyone who clicked on the email was directed to a "You've been hacked!" message.
During this test, two percent of the 1,111 emails sent resulted in a click, and 25 percent of those who got the message reported it.
While Berlin's awareness program clearly has changed user behavior, as well as improved the overall security posture for her organization, that doesn't mean that it's foolproof. There's plenty of room to grow, and the program itself is in a constant state of tuning.
For example, there are plans to improve tracking, and make the process easier to manage. Currently, the tracking process is manual, so the goal is to have it completely automated. There are also plans to increase the program to include mobile devices directly, as many of the providers within the organization rely on tablets in their day-to-day routine.
Awareness is only part of the battle:
Security awareness programs are only one piece of a larger security puzzle. By the time a Phishing email reaches a user, parts of the security chain have failed (anti-Spam) and the weakest-link in the chain now has an active role in defense.
Sign up for CIO Asia eNewsletters.