Crossroads Blog | Institute National Security and Counterterrorism

education, future

Phishing Attack Simulations: Utility, Value, and Ethics

One commonly discussed method of private cybersecurity training is phishing attack simulations.  However, as a comment by Joe Ferrara of Wombat Security describes, the process of implementing such a method is not exactly black and white.

Pointing to the 2013 Security Threat report released by Sophos, Ferrara reports that 85% of information security professionals support the use of phishing attack simulations.  After all, the utility of such a process is pretty apparent.  “[I]t can shock complacent staff into realizing how vulnerable to social engineering they really are, and through that . . . improve overall security[,]” and “it opens a valuable communications channel between users and security staff.”

But what about ethics?  As pointed out by some professionals referenced in Ferrara’s comment, there are inherent concerns associated with “tricking users for training purposes,” which opens the door to a litany of internal issues.

Ferrara’s point is this: simulated attacks are useful and cost-effective, but they must be used “openly and for the benefit of the company rather than the detriment of the staff.”

As he says in closing: “It’s time to make a cybercriminal’s job a little harder, with users as defenders against attack.”

You can read the full comment here.

Leave a Reply

Bitnami