How not to perform phishing exercises
Sometimes phishing simulations do more harm than good. Some organizations send out phishing messages too frequently, which disenfranchises the employee base. What is too frequently? That is hard to determine, but from personal experience, it appears that anything more than once a month is definitely excessive and can irritate your employee base.
If you highlight the “Gotcha” aspect of phishing, it makes people feel demeaned. Security already has negative connotations in most environments. You do not need your phishing program to further alienate people. Consider that phishing is a teachable moment, as is being pulled over by a police officer for speeding. It takes skill to avoid the leaving people with negative impressions, especially when people are told that if they continue to respond to phishing simulations, they may face disciplinary action.
The issues involved with phishing simulations are clearly much more complicated than people perceive them to be. While it appears that most consumers of phishing simulations are simply looking for a reduced response rate, there are many more issues to consider. Response rates are far from a definitive sign of phishing prevention given all of the potential variables.
There are more issues to consider that are related to psychology, compliance, regulatory, privacy, employee use of personal devices, among others. It can be specific to the culture of the organization, or the industry as a whole. What is important to consider is again that phishing simulations involve many more concerns beyond how many click on the messages.
In the ideal world, you would be able to equate phishing simulations to reduced financial loss. This requires a level of planning that most security teams do not implement. It is however critical to try to do so, if you intend to actually improve your entire security efforts. In the meantime, the cost of malware incidents experienced by the organization is a metric to consider. And as discussed, you must also consider not just a reduction in response rates, but an increase in reporting rates as a true sign of success.
Phishing simulations seem to be misapplied and improperly marketed, with an exaggerated value. It does not have to be that way. Minimally though, even if it doesn’t provide a positive return on investment, please make sure that you properly implement simulations in a way that don’t cause more harm than good.
Sign up for CIO Asia eNewsletters.