When considering your organization’s response to a simulated phish, it is critical to understand that we are emulating / practicing for real life events with the purpose of conditioning appropriate response patterns in our user base.
In other words, when our users come across a real phish, we want them to report it right away.
This is what allows us to identify a company’s resilience to specific (active) threats and to enable an anti-phishing programs ability to mitigate phishing risk.
On a simulation level, we can analyze the user base’s performance in terms of the actions we are expecting them to take in response to a simulated phishing attack. What we are looking for is recognition and reporting.
Note: In the above graphic, we rate those users that fell for the simulated phish and reported it as having exhibited Desirable Behavior. This is because it demonstrates a basic principal of security in action: see something, say something.
How should a program respond to the behavioral analysis above?
Because the simulation’s resiliency rate (#reported/#susceptible) is good (3.22), we may not recommend a follow-up simulation be run to the entire user base.
However, this program should follow-up with those users that fell susceptible and did to not report to encourage them to report what they found. This way, in the event of a real phish, the organization’s IR team could analyze and respond before a breach occurs.
This could be accomplished in multiple ways:
- Re-run the simulation for those who fell susceptible and stress the importance of reporting
- Send a follow-up training email providing guidance on phishing clues and the importance of reporting, especially in the event a user is susceptible.
- Openly congratulate those that report, regardless of susceptibility, to drive support of the mantra: See something, Say something.
Remember, program success is about recognition, reporting, and empowering the organization to mitigate threats left of breach, not about scenario failure rates. It’s this positive focus on reporting that is critical to ensuring anti-phishing programs helps drive user engagement in the security process.