if you are running phishing simulation tests against your user community, what do you consider as an 'acceptable' phishing click percentage? Meaning, if "x" percentage of your users click a link in a simulated phishing campaign, what would you consider as acceptable or unacceptable? I do recognize that some industry verticals may have different answers for this but I would be curious what other information security professionals consider as acceptable? 10%? 15%?
Hi,
I think instead of just looking at X percentage of users clicked on phishing simulation link, let's compare it against the metrics from Security Awareness Training program. Out of the users who clicked on the link, how many did actually completed the security awareness training program? how many did not complete the security awareness training program?
Usually I'd recommend different rounds of phishing simulations with different "flavor". A phishing email about some exciting freebie might sit at user's inbox for days or go straight into junk; where phishing email about mailbox full or pretend to be from MIS department might have more victim.
@vglassbottle wrote:if you are running phishing simulation tests against your user community, what do you consider as an 'acceptable' phishing click percentage?
Our strech goal is always "0%", but we are happy as long as it is less than last year.
You might also measure the percentage that report the phish. Reporting is important because it drives your ability to detect and respond in cases where prevention failed. When one person reports a real phish, you ought to check if any one else got it and clicked (easier said than done).
@vglassbottle wrote:if you are running phishing simulation tests against your user community, what do you consider as an 'acceptable' phishing click percentage?
It will vary depending on your organization's existing security stance. If other preventive measures are limited, you can't risk a phishing attack, & will set it to the lowest value --- but if there's already good defense-in-depth you could probably afford to be a wee-bit lax with it...
I would maybe suggest a percentage marker for each different typeof phising mail, and attach different targets to them, respective of their complexity.
So if it's a blatant, very basic phishing email that you would deem easy to spot, I would hope to see a very low percentage of successful attempts (0-2%)
A very well made, complex attempt that mirrors an automated internal mail or something similar, you might expect to see a higher percentage of successful attempts.
Of course this is al subjective, though the aim is always the same, to lower the cost of such attempts and raise awareness.
Cheers
The goal is obviously 0%. I would love to have educated users that never clicked on anything in an email and didn't use their corporate/government/company email address for department stores or dating websites. I am going through this clean up effort now. When the users get too bad at it I pay them a visit and explain just how good the bad guys are and how I need them to be more careful.
Education is the key and how you respond to them. We had a previous security officer that was purposely setting up his bosses with phishing emails and them castigating them when they fell for it. He is no longer employed by that company. How you treat the employees when they mess up matters too. I would rather educate than castigate.
@vglassbottle wrote:if you are running phishing simulation tests against your user community, what do you consider as an 'acceptable' phishing click percentage?
Of course, you would hope for 0% click rate or 100% rejection of phishing mails. However, you will never see that number. Further, the use of a phishing simulation should be based on using it as a component for the training and awareness stage of your overall anti-phishing program, not as a stand-alone project. The anti-phishing program must take a total system approach, using aspects of people, processes and tools together to protect the enterprise information and information systems.
A more complete discussion of this idea is in the article Testing Your Workforce for Phish-Mail Rejection in my Randomness blog.
This is difficult to answer because you used the word, "acceptable". Ideally, we all want 0% because we all know that it only takes one successful phish to compromise an organization. That being said, my goal is always to reduce the percentage each quarter. Good phishing education is very important to show employees how to identify a phishing attack. This is challenging since, like most things in cybersecurity, it's a cat and mouse game between the success of the attackers and the defenders.
I recently wrote a few blog posts that address phishing and a few types of attacks that most people haven't ever seen before. Feel free to share with your friends, family and colleagues.
This is a blog post that explains some advanced phishing attacks.
https://www.ckd3.com/blog/phishing2018
This is a sextortion, spear phishing blog that follows up on a Brian Krebs article from July 2018.
https://www.ckd3.com/blog/sextortion-revisited
This is a blog I wrote 6 years ago that shows a decent phishing attack. It would still fool many people today.
Another challenging metric to track is anyone who may have clicked the link but entered dummy information to see what happens. Usually more technical cybersecurity folks will copy/paste the link in a virtual machine and enter in a fake username and password or some other "dummy data" just to see what happens.
I've ended up on the naughty list of a phishing exercise more than a few times by doing this. 🙂
For obvious spam/phishing, any more than 5% and i'd say you have training issues.
If you plan on being sneaky and disguising the phish as a genuine business tool, then expect 95% and even more confused users who will likely ignore all email in future including your awareness emails through fear of being phished and punished again.
Phishing your users can quickly become whipping your users until moral improves, use it wisely.
Why not concentrate on isolating those risky email and web tasks into a safe playpen?
Would you let an anonymous user run any code on your enterprise kit??
Web and email content is equal to untrusted 3rd party code!