Dear Community,
We have made use of internal quarterly phishing testing for the past 4 years and have an escalation path for failure that follows:
Fail 1: Informal talk from line manager and/or Security and retake phishing course > Fail 2: Formal talk from line manger and retake course > Fail 3: First written warning > Fail 4: Final warning > Fail 5: Potential for dismissal.
In discussions with HR they wish to only consider the tests from the past year rather than the whole history. This would mean either ramping up the number of tests or changing the escalation process.
I was wondering how others approach internal phishing tests and consequences? Do you consider tests over a year old? If not how many tests do you run and what is the escalation process?
@JK1 wrote:...
I was wondering how others approach internal phishing tests and consequences? Do you consider tests over a year old? If not how many tests do you run and what is the escalation process?
Joseph,
Dr. M. Eric Johnson, Vanderbilt U., along with one of my former colleagues Dr. Deanna Caputo, MITRE, have been researching this very issue for years. (I was an unwitting participant in one of their research tests Deanna conducted internally in our company some years ago.) Much of their work looks at using the failures as points to introduce the training, rather than punishment. I recommend you search out their publications for more detail on what they find works and what doesn't.
You can watch Dr. Johnson's 2011 keynote address to the ISSA International Conference in Baltimore, Human Behavior – The Weakest Link? at
https://www.members.issa.org/page/2011ConferenceRecord?PrivacyNotice
where I first learned of his research (and figured out that Deanna had used me in one of their experiments)
To get you started on their recent work, look at
Spear phishing in a barrel: Insights from a targeted phishing campaign
Article (PDF Available) in Journal of Organizational Computing and Electronic Commerce 29(1):24-39 · January 2019
The actual journal source is here, but tat that site you have to pay $51 USD for the paper. the Researchgate link above has it for free.
Here are a few more potentially informative links:
Point-Of-Failure Phishing Training Does Not Work
Going Spear Phishing: Exploring Embedded Training and Awareness Jan.-Feb. 2014, pp. 28-38, vol. 12
I recommend a web search on ["m. eric johnson" "deanna caputo" phishing] to find more journal articles and interviews with them on the subject.
For those who run into horrid paywalls for individual papers in professional journals, be sure to search researchgate.net and academia.edu, where authors often post their works for free. Also, write the authors directly to request copies. Most are happy to send out PDFs for free, to get the exposure.
Next, a suggestion of my own:
Do not even think about using the punishment route you have outlined until you have in writing a statement from the President, CEO, or Board Chair, approved for broad dissemination in the organization, stating that the policy and consequences applies to all employees, including senior managers, vice presidents, and all direct reports to that top official.
Good luck . You have taken on a tough problem.
Craig
So it seems (MHOO) that HR has not bought into Security or the risks. Each organization is different and depending where HR resides you might have different routes to take.
I agree with you that there should be a history kept (and HR records are the best place to keep them). I disagree with the HR department that only keeping the information for a year is wrong. I am a firm believe that these types of infractions should become part of the employees permanent file.
HR is probably of the mindset that the tests are not real so no damage was done.
Do you have a specific awareness program for senior management? If not, this is a good place to start. I would use real world stats on things like phishing, virus, ransomware. Once you have buy in at the most senior levels then your plan will work....otherwise its your dept vs their dept.
my two cents
d
As CraginS says consequences of failure isn't a good way to look at this. Opportunity for improvement and awareness raising in the event of 'near miss' events should work better as a mindset than seeing this as an employee failure. Even CEOs and senior officers can be duped by fraudsters and believe me that's going to be a very difficult conversation series of conversations with employment lawyers if you employ a different policy for senior staff and the rank and file. You really have to do what works.
@Steve-Wilme wrote:... Even CEOs and senior officers can be duped by fraudsters and believe me that's going to be a very difficult conversation series of conversations with employment lawyers if you employ a different policy for senior staff and the rank and file. ...
There is a reason we have the three-level names of phishing, spear phishing, and whaling. Your publicly known seniors are at the highest risk for whaling attacks, yet many organizations allow a culture at the C-suite of "do as I say, not as I do." Once word gets out that a senior who violated policy got a free pass for an infraction that would have been serious reprisal for a worker bee, your program is shot to hell.
Both to fight the culture of allowances for seniors and to hit home on the dangers of whaling, Diana @dcontesti is right, it is essential that you have a custom awareness program for senior staff, and make sure NO ONE is allowed to skip it.
Again, good luck,
Craig
Thank you all for the responses and for the resources, there is lots of food for thought to take away. I feel one thing that I didn't get across is that the thinking behind this is really that disciplinary is a last resort and we would much rather focus on awareness and training.
We are attempting to foster a culture of security that encompasses everyone from the top down and C-suite focused awareness is something I think would definitely be of benefit.
Joe
Actually one thing that I should mention:
If staff know you test quarterly, they will become accustom to it and (I like to say) become numb to them. This becomes essentially true when there are no teeth/ penalty for faiture.
I fully understand the rationale behind them but they can also have a downside.
MHOO
d