Security Awareness Blog

Do Phishing Assessments Desensitize Employees?

A question I am commonly asked about Phishing Asssesments is do they desensitize employees? Do employees beging to treat phishing (both real attacks and simulated attacks) as a frivolous game, ultimately exposing the organization to more risk, not less?

Based on my experience I would have to say a resounding no. To be honest, if anything you have the exact opposite problem. If I see any issues, some employees become overly concerned and over emphasize phishing risks. Following such training and assessments, security teams or help desk will get an increase in phishing reports that turn out to legitimate emails. In one case I know of a senior executive sent out an email to the entire organization, announcing an upcoming webcast that all employees were required to attend. Several employees forwarded this to the security team thinking it was a spear phishing attack. In fact, this is why I'm cautious about sending out spear phishing emails pretending to come from senior management, depending on your organization and the type of risks you deal with, such assessments can do more harm then good.

Long story short, do I feel phishing assessments desensitize employees? Absolutely not. In fact, my experience shows that if you run into any problems, it is with overly sensitive employees.

 

 

 

6 Comments

Posted June 26, 2013 at 9:49 PM | Permalink | Reply

T Morris

As a member of the security team, I treat this as a teachable moment when someone asks if a legitimate message is phishing.If we want to run an assessment to test your own organization, who should the test message come from? We don't want to alienate partners and customers.

Posted June 28, 2013 at 6:11 PM | Permalink | Reply

HJohn

I think can be filed under "sounds better in theory than plays out in practice."
Reminds me of a story where the police began using cameras to issue citations for running red lights. The end result was people would mash their brakes due to fear of a ticket, even if they had plenty of time, which increased the number of accidents at the intersection.
There were many arguments'' guy behind was following too close, not a problem if you don't run red lights, etc. But I saw them as moot. You shouldn't follow too close, and you shouldn't run red lights. But in the end, the paranoia did more harm than the occasional judgment call that put someone going through a light a tenth of a second too late.
Making users paranoid to the point of damaging false positives may do more harm than phishing or viruses will do when left to their own devices under normal technical countermeasures.

Posted July 6, 2013 at 3:27 PM | Permalink | Reply

mike

So what is the suggestion ? Why don't you figurre out a profound study to analyze the right mix a security team should use ?

Posted July 6, 2013 at 9:58 PM | Permalink | Reply

lspitzner

Mike, unfortunately it is not that easy, this is what makes human security different from technology, every organization is very different. Every organization has very different cultures, different structure, different requirements, etc. As a result, how much or how little phishing you do (and the type of phishing you do) really depends on many factors. Unfortunately there is no one study that will fit all organizations. This is what makes awareness so tough, one size does not fit all.

Posted September 29, 2013 at 7:13 PM | Permalink | Reply

AB

Oversensitivity doesn't seem to cost much, though. If an employee sends in an email that looks suspicious to them but shouldn't, how much IT time does that take? Two minutes?

Posted September 30, 2013 at 2:08 PM | Permalink | Reply

lspitzner

I agree. If we are going to make a mistake, probably prefer for employees to be over sensitive as opposed to de-sensitized. Also, just like any sensor technology, the Human Sensor can be tuned to report only what you want them to report.