Tell people about ZeuS infections and theft from payroll accounts, and they roll their eyes like you’re having paranoid delusions. But no one wants to be fooled by a coworker’s practical joke, no matter how gently it is handled by the employer. That more tangible threat is more likely to change their behavior.

Like or Dislike: 2  3

That is a great summary of my point. You can tell people all day long but until they see it in action it will not really sink in. I have had great success with the phishing emails. Once someone falls for it and sees how easy it is to create this fake email they become more aware of what is going on and think about what the email is asking them to do. So far I have not had anyone fall for the fake email twice.

Well-loved. Like or Dislike: 7  2

The point is not to publicly “out” failure and humiliate the person but to give the end user a chance to see something realistic and respond to it. People learn best by doing. As educators we can lecture until we’re we’re blue in the face and most of it will go in one ear and out the other.

The Navy has a concept to traing “train the way we fight”. While we train in the classroom sure most of the training is done real world – we just don’t arm the missiles or put rounds in the breach. If a captian really wants to train his security team for example he will call up a SEAL team. The training method is for the SEALS to break into various areas of the ship. By doing this we get the chance to excersize against “real” attackers and learn from them after it’s over. There are many more examples of this but by trainnig in a nearly live environment rather than lecuture the responses become second nature and more people will “get it”.

Well-loved. Like or Dislike: 17  2

What you both seem to be saying is that phishing your own employees can be very valuable, but it must be done with some sensitivity as well as political awareness.

Repeat offenders require a careful approach as well, ideally integrated with the organization’s HR department. Even if they don’t care about customers, they are a threat to everyone else’s continued employment if the company goes down in flames due to a breach.

Well-loved. Like or Dislike: 19  1

I understand your train of thought, but network admins must take time to train the end user. The reason a tool like this is handy is it will help you with training your end user. All to often network admins and people that work with network security forget that end users don’t know as much as we do. We must share our knowledge.

What I have been doing for years having annual training with all my users on email phishing and the dangers of email. Yes I have been sending fake emails. All employees with an email address know that at various points through out the year they will receive on fake email from IT. They know this is to test their awareness of what is going on and their training. If one good thing has come from this is I have less infections coming from email.

All the layers of security are useless if we do not take the time to train the end user on why security is the way it is and how the bad guy try to get into our secure networks. You did not study and train to do the end users job so you don’t know how to do theirs. Same thing goes for the end user. They have not studied, trained and keep up with the latest threats. That is part of our job and one of the best ways to protect your network.

Well-loved. Like or Dislike: 18  3

Hiding tools doesn’t make the problem go away, nor prevent attacks from rolling their own. And you’re not going to find any such thing as an anti-phishing tool when it is human judgement that is the root problem.

While I don’t necessarily agree with it, phishing your own employees is still controversial, regardless whether more firms offer the service. It is hard to sell managers on the idea that you trick and possibly publicly shame your own employees. Few people react positively to being tricked, and managers don’t want to make it seem like they’re mistrustful or insulting of their own employees.

If I ask you to hold the door for me while I struggle with a pallet of servers, then point and out you for letting me in the building, you likely will just resent me rather than learn a valuable lesson.

These are good points, but if you don’t do it first and spread the education (and practice incident response), the attackers will.

Well-loved. Like or Dislike: 16  6