Does anyone know of any best practice standards relating to the frequency of conducting phishing simulations or tests within an organization? I have seen many of the vendors saying that a company should consider monthly phishing campaigns but that is coming from the vendor, who is looking at the company bottom line. I have reviewed the NIST document governing security training (800-50) but they are guidelines based on company needs and goals. Our goals are pretty straightforward in that we want our users to be aware of the emails that make it past the email filter can be a phishing threat. When this was brought to our management, they asked for best practice standards and any other documentation out there. I haven't found any and am hoping that some of you may be able to point me in the right direction.
The thing is this: What do you do with the results of the phishing test?
Punish the offenders? Name and Shame them? OR.....
Do you have honest conversations with them to understand the real reason why they fell for the phishing attack so you can change their behavior?
Do you try to understand the psychological behaviors behind the click so you can again change behavior?
What I'm getting at is, if you do not learn why they clicked you will not get them to change that behavior.
Basically at least once a month. I'd recommend starting out once a week to start changing behavior and you can tailor the frequency and training from there. The intention is for them to always be alert and not get complacent. Also have a policy plan in place before you start with some of the recommendations @CISOScott laid out.
@CISOScott I appreciate your insight and I can tell you right now that the goal is to inform them while also advising their managers that they may pose a risk in this regard. There is no punishment that I am aware of but we have it set up for remedial training shortly afterwards.
I would like to say that in the evolution of this program we will start looking at the "why" that someone clicked a link and how to change that behavior. Right now, my manager and his boss, want to know if there are standards out there that guide on the frequency.
Again, thank you for the insight and I will be using that as I help build the program from my level.
The frequency is what you make it. If you do it too often people will start tuning the message out. If you do it too infrequently then you run the risk of people becoming complacent. In our organization we run it about once a month and then go talk to the people who clicked to understand why. Doing this we have seen a big reduction in clicking on these phishing emails.
If you run a campaign and you have a lot of people to go speak to, I would wait to run the next campaign until you have spoken to a majority of the people or done training.
Surely you have to plan it within your ability to cope with the feedback from staff. If the result of the phishing simulation is a high volume of calls either to your service desk or SoC that they can't get through there normal duties then you've probably got it wrong. It would be wise to carry out awareness training before running a phishing simulation and make reporting phishing a one click activity.