Phishing vulnerability assessments and phishing susceptibility rates rarely tell the full story. How can companies calculate their true phishing risk?
Have you ever wondered whether your reduced phishing susceptibility rate really shows your true phishing vulnerability?
Or wondered why it may be low one week but spike the next?
Read on to hear our thoughts on why, if not applied correctly, susceptibility rates are a lazy metric of phishing vulnerability and why many Awareness and Education teams (and Boards) find themselves questioning whether they really add the value they had hoped…..
Phishing vulnerability often (understandably) attracts much attention however, it can be a misleading comfort metric on its own.
A reduction in phishing vulnerability, while on the surface good (and welcome), might only be temporary. Often as the subject, context, timing, style and tone within a phishing email changes, so too does the susceptibility rate. A little bit of extra thought, effort and lucky timing on the part of the sender could yield significantly different reporting metrics!
The human cyber risk you carry, in relation to awareness, behaviour and culture (ABC), is much more than whether a member of the workforce did or didn’t click on a simulated phishing link. More importantly, an organisation may have a phishing susceptibility rate of 4% one quarter, and then 27% the next, simply because the phishing simulations have been constructed differently (subject, context, timing, style, tone etc.).
It’s very easy to become fixated on phishing vulnerability, and if a programme is not implemented correctly, it can actually have a detrimental effect on a workforce. To really reduce risk in a way that is sustainable, and to avoid false comfort, an organisation needs to intelligently look at other metrics as indicators.
What’s really important to measure?
1. What do people actually know and understand about how to stay safe online? (About phishing and the whole raft of other cyber threats they might face as a result of their role, industry and personal circumstances).
2. How do they really behave when presented with attacks? Phishing, SMiShing, USB Drops etc.
3. What do they think, and how much do they care, about cyber security?
4. And how confident are they?
Combined, these metrics give a much more accurate view on human cyber risk and the ABC health within an organisation than phishing susceptibility rates or other metrics of phishing vulnerability. In addition, they provide a more intelligent view on which to rely, which becomes more obvious when phishing click rates fluctuate. For example, because context, timing, style or tone have changed, or because secure behaviours haven’t sunk in yet, or because people simply just don’t care enough.
Moreover, these metrics will help ensure your phishing susceptibility rate reduces over time, and stays down. And if it doesn’t, they’ll help you identify why.
Addressing phishing is important, but…
Importantly, the answer to the problem isn’t simply more of the same – reducing phishing vulnerability (and in fact human cyber risk as a whole) through better phishing simulations, or more tick-box awareness training. Organisations need to find ways to engage, stimulate, support and really hear from their people when it comes to cyber security and data protection.
This can be done with content and innovative delivery mechanisms that better apply psychology and behaviour change theory, as well as a better understanding of the needs and expectations of today’s modern and growing digital workforce. Likewise, a clever use of innovative, increasingly intelligent technology can help drive positive changes in the areas (and metrics) of interest – meaning in turn, genuine risk reduction.
The cyber risk faced by most organisations is a lot broader than just phishing vulnerability. However, even if this was an organisation’s sole focus (?!), to really be sure that one is reducing the risk posed by employees clicking on phishing links, we need to first understand, and then positively influence, the factors that contribute to why someone might click on that link. What do people know and understand? How do they behave? How much do they care? How confident are they?
Addressing phishing is important. And anything that is important and can be measured, should be measured. However, it is folly to blindly accept a set of metrics if they can be so easily affected by slight changes the next day. This is the Board level equivalent of emperor’s new clothes.
Would you like to hear more about how CybSafe can help you take a more honest view on the human cyber risk you carry? Or what more can be done to permanently reduce phishing susceptibility? Please let us know. We’d love to show you.
Please feel free to share this with others you think may find it interesting.
CybSafe’s intelligent software harnesses collective lessons across the cyber security community in a low cost per-user subscription to help businesses of all sizes improve cyber security behaviour and reduce cyber risk both internally and within its supply chain.
The GCHQ-accredited software helps business to mitigate cyber risk with greater certainty, greater impact, and more cost effectively.
CybSafe is a British cyber security technology company. It is headquartered at Level39, the prestigious technology community based in Canary Wharf, London.