To Teach Someone to Phish…

To Teach Someone to Phish…

Given that phishing attacks are now the #1 cause of successful data breaches, it’s no surprise that many individuals and organizations are looking for tools to help them get better at spotting phish. The problem, however, is that most of the available education tools reply on “passive” training material: infographics, videos, and sample phish. While this educational tools might teach you a few facts and figures, they don’t always lead to a long term change in how users respond to phish. Instead, educators should be looking for new tools and methods that change the very way we look at our emails. You know the phrase “Give someone a fish, feed him for a day. Teach someone to fish, feed him for a lifetime”? Well, the same is true for phish too.

The idea is simple: Instead of just looking at examples of phish, by engaging in the process of creating a phish you will internalize the tactics and tricks scammers in real life and will be better able to spot them.

There is  actually a method that has been proven to work in similar settings, such as recognizing propaganda and misinformation. It’s called inoculation theory. The idea is similar to how vaccines work: by exposing people to small doses of something more dangerous, and by actively engaging them in the process, they can better defend themselves against the real thing in the future. Cambridge University used this theory to create an online game that asks users to create their own fake news.

In a similar way, teaching someone how to make phish creates an engaging way for users to understand how actual phishers think and what tactics they use to trick people. We believe this form of training has the potential to be far more successful in help users create long lasting change and help them stay safer online.

Tiny Habits, Big Changes

Tiny Habits, Big Changes

When you want to form a new habit or learn something new, you may think the best way to start is to dedicate as much time and energy as you can to it. If you want a learn new language, for example, you may think that spending a couple of hours every day doing vocab drills will help you learn faster. Well, according to behavioral scientist BJ Fogg, you might be taking the wrong approach. Instead, it’s better to focus on what Fogg calls tiny habits: small, easy to accomplish actions that keep you engaged without overwhelming you.

Sure, if you study Spanish for three hours a day you may learn at a fast rate. The problem, however, is that too often we try to do too much too soon. By setting unrealistic goals or expecting too much from ourselves, new habits can be hard to maintain. Instead, if you only spend five minutes a day, chances are you will be able to sustain and grow the habit over a longer period of time and have a better chance of retaining what you’ve learned.

The Keys To Success

According to Fogg, in order to create lasting behavior change, three elements come together at the same moment need to come together:

  1. Motivation: You have to want to make a change.
  2. Ability: The new habit has to be achievable.
  3. Prompt: There needs to be some notification or reminder that tells you its time to do the behavior.

Creating and sustaining new habits requires all three of these elements to be successful — with any element missing, your new behavior won’t occur. For example, if you want go for a 5 mile run, you’re going to need a lot of motivation to do it. But if you set smaller, easy to achieve goals — like running for 5 minutes — you only need a little motivation to do the new behavior.

The other key factor is to help yourself feel successful. Spending 2 minutes reviewing Spanish tenses may not feel like a big accomplishment, but by celebrating every little win you will reinforce your motivation to continue.

The Future of Cyber Awareness

Tiny habits can not only help people learn a new language or start flossing, it can also play an important role in forming safer, more conscious online practices. Our cyber awareness training program, The PhishMarket™, is designed with these exact principles in mind. The program combines two elements, both based on Fogg’s model:

Phish Simulations: Using phish simulations help expose people to different forms of phish attacks, and motivates them to be more alert when looking at their inbox. While most programs scold or punish users who fall for a phish, The PhishMarket™ instead uses positive reinforcement to encourage users to keep going.

Micro-Lessons: Unlike most training programs that just send you informative videos and infographics, The PhishMarket™ exclusively uses short, interactive lessons that engage users and encourage them to participate and discuss what they’ve learned. By keeping the lessons short, users only need to dedicate a few minutes a day and aren’t inundated with a barrage of information all at once.

Creating smart and safe online habits is vital to our world today. But traditional training techniques are too often boring, inconsistent, and end up feeling like a chore. Instead, we believe the best way to help people make meaningful changes in their online behavior is to focus on the small things. By leveraging Fogg’s tiny habits model, The PhishMarket™ has successfully helped users feel more confident in their ability to spot phish and disinformation.

Cyber Awareness in Remote Environments: How do you keep people engaged?

Cyber Awareness in Remote Environments: How do you keep people engaged?

The current crisis has forced all of us to make changes that we otherwise wouldn’t have made. The upside, however, is that some of these changes may end up benefiting us well beyond the pandemic. One area that desperately needs this change is our view of cyber awareness — whether in remote environments or at the office. One report found that 91% of IT leaders simply trusted their employees to maintain safe security practices while working at home. This trust, it turns out, is misplaced, with 48% of employees saying that they are less likely to follow security practices at home. The bottom line is, if organizations want their employees to take cyber awareness in remote environments more seriously, they need to find a new way to help their employees create lasting behavior change.

Working from home creates unique challenges for their employees. They’re distracted, they’re doing their work on their personal devices, and they don’t have co-workers and managers there to motivate them. To build better cyber awareness while working from home, organizations should therefore focus on creating “micro-moments.” These micro-moments are small opportunities that contain four key elements:

  1. Short
  2. Frequent and consistent
  3. Engaging
  4. Involve positive reinforcement

By combing these elements, micro-moments sensitize employees to thinking about cyber awareness in their daily work, motivate them to continue learning, and keep them from thinking about cyber awareness as a burden or something that takes away their ability to get work done.

We know this works because it is the very foundation of Designed Privacy’s cyber awareness program, The PhishMarket™. The program combines phish simulations, daily micro-lessons, and detailed reporting to create behavior change that employee want to maintain. A study of The PhishMarket™ conducted by Stanford’s Peace Innovation Lab found that our program resulted in a 30% reduction in overall phish susceptibility in just four weeks, and 70% of participants said they would do the program again.

By incorporating a new a new type of cyber awareness training that focuses on creating micro-moments, organizations can help their employees create lasting behavior change, and the trust IT leaders have in their employees won’t be as misplaced as before.

Phish Scales: Weighing Your Risk

Phish Scales: Weighing Your Risk

With phishing campaigns now the #1 cause of successful breaches, it’s no wonder more and more businesses are investing in phish simulations and cybersecurity awareness programs. These programs are designed to strengthen the biggest vulnerability every business has and that can’t be fixed  through technological means: the human factor. One common misconception that may employers have, however, is that these programs should result in a systematic reduction of phish clicks over time. After all, what is the point of investing in phish simulations if your employees aren’t clicking on less phish? Well, a recent report from The National Institute of Standards and Technology actually makes the opposite argument. Phish come in all shapes and sizes; some are easy to catch while others are far more cunning. So, if your awareness program only focuses on phish that are easy to spot or are contextually irrelevant to the business, then a low phish click rate could lead to a false sense of of security, leaving employee’s unprepared for more crafty phishing campaigns. It’s therefore important that phish simulations present a range of difficulty, and that’s where the phish scale come in.

Weighing Your Phish

If phish simulations vary the difficulty of their phish, then employers should expect their phish click rates to vary as well. The problem is that this makes it hard to measure the effectiveness of the training. NIST therefore introduced the phish scale as a way to rate the difficulty of any given phish and weigh that difficulty when reporting the results of phish simulations. The scale focuses on two main factors:

#1 Cues

The first factor included in the phish scale is the number of “cues” contained in a phish. A cue is anything within the email that one can look for to determine if it is real of not. Cues include anything from technical indicators, such as suspicious attachments or an email address that is different from the sender display name, to the type of content the email uses, such as an overly urgent tone or spelling and grammar mistakes. The idea is that the less cues a phish contains, the more difficult it will be to spot.

#2 Premise Alignment

The second factor in the phish scale is also the one that has a stronger influence on the difficulty of a phish. Essentially, premise alignment has to do with how accurately the content of the email aligns with what an employee expects or is used to seeing in their inbox. If a phish containing a fake unpaid invoice is sent to an employee who does data entry, for example, that employee is more likely to spot it than someone in accounting. Alternatively, a phish targeting the education sector is not going to be very successful if it is sent to a marketing firm. In general, the more a phish fits the context of a business and the employee’s role, the harder it will be to detect.

Managing Risk and Preparing for the Future

The importance of the phish scale is more than just helping businesses understand why phish click rates will vary. Instead, understanding how the difficulty of a phish effects factors such as response times and report rates will deepen the reporting of phish simulations, and ultimately give organizations a more accurate view of their phish risk. In turn, this will also influence an organization’s broader security risk profile and strengthen their ability to respond to those risks.

The phish scale can also play an important role in the evolving landscape of social engineering attacks. As email filtering systems become more advanced, phishing attacks may lessen over time. But that will only lead to new forms of social engineering across different platforms. NIST therefore hopes that the work done with the phish scale can also help manage responses to these threats as they emerge.

If You Want Risk Management To Stick, You Have To Stay Positive

If You Want Risk Management To Stick, You Have To Stay Positive

Remember the sales contest from the movie, Glengarry Glen Ross?

“First prize is a Cadillac Eldorado….Third prize is you’re fired.”

We seem to think that, in order to motivate people, we need both a carrot and stick. Reward or punishment.  And yet, if we want people to change behaviors on a sustained basis, there’s only one method that works: the carrot.

One core concept I learned while applying behavior-design practices to cyber security awareness programming was that, if you want sustained behavior change (such as reducing phish susceptibility), you need to design behaviors that make people feel positive about themselves.

The importance of positive reinforcement is one of the main components of the model developed by BJ Fogg, the founder and director of Stanford’s Behavior Design Lab. Fogg discovered that behavior happens when three elements – motivation, ability, and a prompt – come together at the same moment. If any element is missing, behavior won’t occur.

I worked in collaboration with one of Fogg’s behavior-design consulting groups to bring these principles to cyber security awareness. We found that, in order to change digital behaviors and enhance a healthy cyber security posture, you need to help people feel successful. And you need the behavior to be easy to do, because you cannot assume the employee’s motivation is high.

Our program is therefore based on positive reinforcement when a user correctly reports a phish and is combined with daily exposure to cyber security awareness concepts through interactive lessons that only take 4 minutes a day.

To learn more about our work, you can read Stanford’s Peace Innovation Lab article about the project.

The upshot is behavior-design concepts like these will not only help drive change for better cyber security awareness; they can drive change for all of your other risk management programs too.

There are many facets to the behavior design process, but if you focus on these two things (BJ Fogg’s Maxims) your risk management program stands to be in a better position to drive the type of change you’re looking for:

1) help people feel good about themselves and their work

2) promote behaviors that they’ll actually want to do

After all, I want you to feel successful, too.

Coronavirus and Cybersecurity: The Human Factors

In the past, cybersecurity threats tend to increase in times of crisis. Now, bad actors are already using the coronavirus pandemic to their advantage. Employers are beginning to ask employees to work from home, and there are already numerous articles on security concerns about remote access. And while it is certainly important to ensure remote access systems are properly secured, it is equally as important to understand the human factors that create certain security vulnerabilities. Mass confusion and panic often lead to faulty or rash decision making, which is precisely what scammers are banking on now. A study by Check Point, for instance, revealed that coronavirus-related web domains are 50% more likely to be malicious than other domains.

When considering the coronavirus and cybersecurity, it is important for employers to use cyber awareness training to ensure employees continue to think critically and use proper judgment online. Here are four key areas to help employees limit their risk of exposure:

Use Multi-Factor Authentication

Perhaps the most important measure you can put in place is to make sure that all remote users are required to use multi-factor authentication (MFA) when accessing your system.

Device Security

Businesses need to ensure all employees that are working from home are taking appropriate steps to keep sensitive information safe. Anyone using remote access needs to be trained in the use of essential endpoint protections. VPNs, for example, are extremely important to make sure logs can’t be sniffed out by others in the neighborhood.

Employees should also be reminded of basic measures to take with personal devices. Screen and application time-outs should be set up to limit the risk that unwanted eyes around the house can view sensitive information and communications.

To limit the impact of stolen or lost devices, all sensitive information should be fully encrypted.

Online communication

Employees should be updated about current phishing campaigns that are taking advantage of the confusion and panic surrounding the coronavirus. The World Health Organization recently released a statement warning of fake emails posing as the WHO to steal money, information, and credentials. According to The Wall Street Journal, the WHO is receiving daily reports of coronavirus-related phishing schemes.

Working remotely will also require expanded use of online communications such as email, video services, and phones. It is therefore important that all communications relating to business should only take place through company-approved communication services. It is difficult to monitor the security of personal and social media messaging services and should not be used for any business-related communications.

Reporting and Incident Response

Being aware of increased cyber threats is only half the battle. Employees also need to understand how and when to report any suspected incidents. Keep help desks up and running, and encourage employees to be overly cautious in reporting any suspicious emails or activity. Employees need to know that someone can help if they think any information is at risk. 

Incident response teams should also be briefed on and prepared for any threats related to remote access work. Not only should response teams understand the current threats, everyone involved should have a clear understanding of how communication and responses will be carried out remotely. Because previous response simulations were probably conducted in-office, it is helpful to run a test response using only remote communication.

Communicate and Connect

Companies are ecosystems and healthy corporate ecosystems are a function of purpose, recognition, connection and intentional urgency.  All of which feeds into employee actions, whether it involves cybersecurity issues or marketing or administration or service issues.  Companies which do a better job of communicating what is going on in their organization and connecting with their remote staff and acknowledging their respective situations create a caring environment which helps everyone pay attention to little things – like perhaps not clicking on that strange link or hiding the fact they accidentally sent the wrong person confidential information.

Conclusion

Given the severity of the ongoing coronavirus crisis, bad actors are counting on an increase in confusion, panic, and fear to profit and cause further disruption. The coronavirus and cybersecurity concerns need to be considered, Above all else, employers need to do their part to ensure workers stay well-informed and secure. Working at home might mean we can dress a little more casually, it doesn’t mean we should be any less serious about threats online.