Is there any doubt that phish­ing is a major threat to all of us? Here’s what Verizon’s 2015 Data Breach Inves­ti­ga­tions Report (DBIR) said about phish­ing:

In the 2013 DBIR, phish­ing was asso­ci­at­ed with over 95% of inci­dents attrib­uted to state spon­sored actors, and for two years run­ning, more than two-thirds of inci­dents that com­prise the Cyber-Espi­onage pat­tern have fea­tured phish­ing. The user inter­ac­tion is not about elic­it­ing infor­ma­tion, but for attack­ers to estab­lish per­sis­tence on user devices, set up camp, and con­tin­ue their stealthy march inside the net­work.

Or, drop a bank­ing Tro­jan on the com­put­er in the hopes of steal­ing some mon­ey.

What’s the suc­cess rate for phish­ing attacks? The 2015 DBIR said:

23% of recip­i­ents now open phish­ing mes­sages and 11% click­ing on attach­ments.

Clear­ly, we need to increase employ­ee resis­tance to all forms of social engi­neer­ing attempts. But how? And, what are the risks of tak­ing action?

Aside from imple­ment­ing some email and web fil­ters, you can buy phish­ing test­ing ser­vices. I’m most famil­iar with PhishMe and KnowBe4.

Run­ning your own sim­u­lat­ed phish­ing cam­paigns seems like a great idea. The effec­tive­ness data pub­lished by the ven­dors is com­pelling. Judg­ing from what I’m see­ing and hear­ing from IT peo­ple over the years, though, there’s an objec­tive miss­ing from the project and oper­a­tions plans: The cam­paigns need to be done in a way that trust between employ­ees and man­age­ment is enhanced, not dam­aged.

Here are the top risks that I can see:

• Whether it meets the legal def­i­n­i­tion or not, could employ­ees feel the sim­u­la­tion is a form of entrap­ment?
• Will employ­ees feel resent­ful of man­age­ment if the cam­paign is “decep­tive­ly” launched on them with no warn­ing? Will any feel­ings of shame or embar­rass­ment cause resent­ment?
• How effec­tive will fur­ther coach­ing or train­ing to resist phish­ing be if the employ­ee feels resent­ment?
• Should employ­ees who repeat­ed­ly fail sim­u­lat­ed phish­ing exer­cis­es be coached or dis­ci­plined? If so, who should do it? Their super­vi­sor? The CISO?
• What if an employ­ee actu­al­ly caus­es a data breach by being phished, and you have records of that per­son repeat­ed­ly click­ing on the sim­u­lat­ed phish­ing links over a peri­od of sev­er­al weeks or months with no action tak­en by man­age­ment. Will that under­mine management’s abil­i­ty to dis­ci­pline or fire that per­son?
• Could an employ­ee, who gets dis­ci­plined for click­ing too much on the sim­u­lat­ed phish­ing links, be able to suc­cess­ful­ly defend them­selves against man­age­ment based on how you con­duct­ed the cam­paigns? Such as a man claim­ing he was unfair­ly tar­get­ed by a mes­sage that would nat­u­ral­ly  appeal more to men than to women?

In the course of research­ing for this post, I was unable to find any doc­u­ment­ed cas­es of peo­ple being dis­ci­plined due to phish­ing, either real or sim­u­lat­ed. So as an indus­try we don’t appear to know the answers, but we def­i­nite­ly need to find them before the attor­neys and courts fig­ure it out for us.

Did you talk with your HR and legal teams before imple­ment­ing a sim­u­lat­ed phish­ing cam­paign? How did you deal with these risks?