Security professionals have tested networks to identify vulnerabilities for many years now. It’s a common practice called “Vulnerability Analysis and Penetration Testing”, or sometimes “Ethical Hacking”. The word ethical in this context is interesting, as it indicates that the hacking is being done for good reasons, not malicious ones.
But we forget that “ethics” is all about actions toward humans. Usually, ethical hacking of networks is done by an independent group, or a third party, with the staff who run a network being kept unaware that testing is being done, so it they don’t prepare abnormally and skew the results. These tests don’t usually get personal.
But as we learned recently in the Chicago Tribune phishing assessment fiasco that hit Twitter and then the mainstream news, it’s hard to transfer that philosophy of “ethical hacking” on networks, to testing employees on their human vulnerabilities.
But many organizations do this, and vendors are making it easier to do more frequently.
Here are just a few reasons why phishing assessments that use “live phishing emails”, as many companies do right now, can be ineffective, or worse, counter-productive. There are actually a number of other reasons why you may not get the results you are looking for from ongoing live phishing assessments, but I can cover those in another video.
So, here I will discuss the issues that I see as being related directly to the human ethics side of phishing assessments…
First, Employees have emotions, and that’s what attackers target to get them to take actions. When we do that intentionally, as a test, we are literally playing with peoples emotions, which makes them feel like they are being unfairly targeted by their employer.
That’s not good for morale, and can cause distrust of the employer.
Secondly. When a person is manipulated with a situation they think is real, you can’t predict how they will react because they are human. When testing networks, a failure may cause system outages or corruption of data. But the limits of damage are fairly predictable.
In contrast, as we saw at the Tribune, employees may go straight to the media or to law enforcement with public comments or complaints. Or they may even retaliate physically. Nobody knows, and that’s a big risk many organizations don’t think about when they deploy live phishing assessments.
Thirdly. Even when management is actively involved in screening phishing messages, the results can be skewed because they will forbid any tests that could cause potential backlash or unwanted outcomes. This is becoming even more of a problem, because attackers don’t play by the same rules, and have no hesitation in using those very topics in their attacks, knowing that employees are unlikely to have seen them before in a phishing test.
Often, the answer coming from the companies that sell live phishing assessments is that “you need to be careful about how messages are crafted, to be ‘close’ to those used in real attacks, without going over some ethical line.” This is a real limitation of the whole methodology of targeting employees with frequent live phishing assessments, to assess human vulnerability.
Now, I’m not saying that live phishing assessments have no value. Far from it. But I see them more as an occasional audit tool, not as an ongoing barrage of tests that rile up employees.
So, what can be done to assess the real ability of employees without causing negative consequences?
Gamified learning and assessment actually provides the means for conducting what I call “Ethical Employee Vulnerability Management”. With this approach, not only do employees know they are not being targeted, but they see it more as a fun competition. You can use any topics you want, and all employees who take a training module see the same content, so everything is under control, with no unexpected or unwanted side-effects.
And most importantly, you can train people on the most risky situations and allow them to practice in a safe environment, in order to improve their scores and proficiency.
Gamification is widely recognized as the most effective way to improve employee engagement, but most solutions don’t do it in a positive and deep way that drives deep engagement and knowledge retention. When gamified learning is used for “ethical employee vulnerability management”, it has not only more reliable and meaningful results, but also drives a more positive security culture, where employees trust management.
To learn how you can implement Ethical employee vulnerability management using the Click Armor Active Awareness platform for phishing awareness training and assessment, contact me at clickarmor.ca/contact
You can do a free trial with your own private area for a few employees with your own private leaderboard, to see how well it works and how easy it is to manage.