Phishing simulations
Here are some references I use to support my negative view of Phishing Simulation [1]:
Perspectives:
- Sean Cassidy: Phishing simulations considered harmful
- Jamie Finnigan: Simulated phishing is not so great
- Yahoo Paranoids: Stop Giving Impossible Advice: Telling People to Watch Out for SUSPICIOUS EMAILS is Nonsense.
- Jacob Kaplan-Moss: Don’t include social engineering in penetration tests
- Matt Linton: On Fire Drills and Phishing Tests
Research:
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
- “What Keeps People Secure is That They Met The Security Team”: Deconstructing Drivers And Goals of Organizational Security Awareness
- “To Do This Properly, You Need More Resources”: The Hidden Costs of Introducing Simulated Phishing Campaigns
- “Employees Who Don’t Accept the Time Security Takes Are Not Aware Enough”: The CISO View of Human-Centred Security
- NDSS 2024 - Symposium on Usable Security and Privacy
Commentary:
- Good phishing simulations are dependant on a good lure. Meaningful lures involve major threats or inticements, both of which can hurt the end user when followed by the "gotcha" page.
- Phishing simulations may be needed to check a box for legal, contractual, or compliance requirements. It's up to you to fight the first two getting put in place.
- Measuring clicks is bad simulation - we mostly care about credential submission or execution of a binary. Simulation vendors often over-emphasize clicks as "bad."
- Consider gamifying phish detection, as one alternative
[1] Instead, roll out webauthn/Yubikeys