In this blog post I will make an argument for why employee phishing campaigns do not always provide useful metrics for organisations and some negative consequences they pose.
What are employee phishing campaigns?
Employee phishing campaigns are a widely used metrics in organisations looking to test and improve their employees’ information-security behaviours. There are many articles where this practice is actively encouraged, many companies that offer this as a service, and websites/articles with instructions of how to do so online.
These campaigns involve companies deceiving their employees. Organisations send fake phishing emails to their own employees, usually to try and get them to click on a link. If an employee does click on a link, they generally get notified that they clicked on a phishing email sent by the company to tests their ‘cyber-security’ skills.
I understand why phishing campaigns are so widely used; they are a fast, easy and relatively inexpensive way of gauging the human side of ‘organisational vulnerability’. However, for reasons I will explain below, many researchers and industry experts now believe these campaigns may have a number of negative consequences and may not even provide metrics that disclose much about organisation vulnerability at all.
Why may phishing campaigns not be as useful as organisations think?
1) The metric is artificial
The truth is, phishing attacks can be extremely sophisticated. Even experts in the field can be compelled to click on links. This is especially true in cases of spear phishing, where the email is ostensibly from a known sender and specifically targets one or a small group of individuals.
What I’m trying to say is, phishing campaign metrics are based on how sophisticated the email you send out is. All you prove when people click, is that your phishing email was sophisticated enough to make people click, or if they did not, the phishing email you created was not good enough. In this way, the statistics that can be gathered from phishing campaigns are artificial.
2) They do not expose the underlying issue
Phishing campaigns may tell you a few things such as what percentage of your organisation open the links or whether certain departments are more likely to open links than others. Over the long-term, they are often used to test the impact of awareness campaigns. However, they do not tell you the most valuable information; why people are clicking.
If organisations are to change behaviours, understanding why people click is extremely important. Have employees not received enough training? Are they disenfranchised with cyber-security policies? Was the employee in question under time constraints when they clicked? Were they making a security/productivity trade-off? These three reasons require different organisational responses. It is the why that tells the organisation what they need to do to help employee security.
3) Mistrust for the organisation
Central to phishing campaigns is the element of deception. This could lead to employees mistrusting and feeling alienated from the organisation, and at the very least the cyber-security department. Organisational trust is essential for maintaining security. Mistrust leads to disengagement, and an employee who is disengaged with security is not secure.
4) Productivity
If employees are constantly worried about their organisation phishing them, they may waste valuable time deciding whether an email is a phishing email or not. This factor increases when you phishing simulations are so sophisticated, they are tricking employees into clicking links every time. On one hand, you want employees to take the time to review suspicious emails. On the other you do not want to significantly reduce productivity. This might cause individuals to ignore suspected emails instead of spending time deliberating and reporting them.
This may cause problems, as reporting a phishing email means the organisation can send a warning round to other employees. If your employees do not report suspected emails, the risk of someone else clicking increases.
5) Punishments
Different organisations have different consequences for employees that click. Some of the consequences put in place by organizations can exacerbate information security problems, rather than improve them.
For example, in my research and from speaking with others, I’ve heard everything from organisations ‘naming and shaming’ employees to privately letting employees know they need to retake training. If asked to retake training multiple times employees are often subject to disciplinary procedures. All this does is further induce stress, worry and mistrust.
If an employee is scared about clicking on a fake phishing email, it also reduces the likelihood they will tell someone quickly if they click on a real phishing email. Contrary to popular belief, phishing attacks do not always cause damage immediately. Telling IT in a timely manner that you opened a phishing email could mean the company is able to salvage the situation.
Additionally, using training as a punishment will not promote employee motivation to complete training or show interest in cyber security.
Summary
These are several ways in which phishing your own employees may be harmful to both the employees and the organisation and why the metric may not be useful anyway.
I am in no way advocating, by suggesting that phishing your own employees is not very useful, if not harmful, that we should be relying on technical solutions only. I believe employees should be seen as part of the solution to cyber security. Increasing, motivation, efficacy and involving employees in policy making, rather than deceiving them and treating them as the problem, is a good first step towards this. Learn from your employees; they are the only ones who can really tell you why they may be clicking on links or displaying behaviours that breach organizational security. (Hint, it might be an organisations unusable policies!).
Of course, this is my opinion based on research of the current standing of phishing campaigns. Done differently, with these issues in mind and alongside other metrics and training, maybe they would provide more meaningful insights. There are also many other ways to measure employee security (more on this to be featured in a later posting).