Over the last few years, phishing test and train solutions have become an increasingly common part of the security awareness toolkit. Of late, however, influential voices in academia and at the UK National Cyber Security Centre (NCSC) have started to raise some important issues with the approach.
Caught in a flash
An interesting analogy for phishing tests are speed, or (more accurately) traffic enforcement, cameras.
The principle of speed cameras is to deter an unwanted behaviour, in this case speeding, by spot-checking people’s actions. The deterrent effect is two-fold: firstly, people are penalised if and when they transgress with a fine or other penalty; and secondly the mere presence, or potential presence, of the spot-check encourages compliance.
The principle of phishing tests is similar. They try to deter an unwanted behaviour, in this case acting on phishing emails, by making spot-checks of people’s ability to identify such emails. In similar fashion there may be a penalty for failing the check, in the form of extra training, and the mere presence of a regular phishing test regime can help to raise levels of mindfulness and vigilance.
It’s an imperfect analogy, so rather than stretch it too far consider one aspect in particular: why the absence of other meaningful deterrents when it comes to phishing?
Not the only weapon in the armoury
Do we rely solely on traffic enforcement cameras to stop speeding? Of course not. We use a range of approaches from static speed-limit signage, to dynamic signals such as smileys or flashing speed signs, to rumble strips and humps at points of elevated risk.
When it comes to stopping speeding, these approaches are the starting point and enforcement cameras are a helpful addition. Yet in the world of phishing, we all seem to have got carried away with cameras – or, rather, their equivalent phishing tests – as the only available deterrent.
In the words of Professor Stephen Glaister, Director of the RAC (Royal Automobile Club): “Speed cameras should never be the only weapon in the road safety armoury, but neither should they be absent from the battle.”
This realisation is one of the reasons we developed Redflags™, our innovative security awareness product. We believe that more than a quarterly phishing “spot-check” is required to make users into a truly effective line of anti-phishing defence.
Instead, Redflags™ applies a combination of low-friction awareness content, dynamic security “nudges”, alert notifications, and ongoing behavioural monitoring to the task. We think of these components as the missing pieces in the armoury. You could say that we have developed the static and dynamic signage, speed humps and rumble strips required for the world of security awareness.