You’re in a metaphorical cybersecurity forest. You’ve wandered in there to find your org’s true risk of a phishing attack breach. But if a phishing attack risk assessment is calculated, absent of employee engagement… does it make a sound?
Not one worth listening to.
Measuring true risk of a phishing attack breach is helpful. Knowing the actual likelihood of your people clicking something they shouldn’t—or reporting something they should–will guide good business and security decisions for the CISO and the C-suite. But “measured risk” of a phishing attack breach can actually be dangerous. The metric is typically based on phishing attack simulations’ pass/fail rates: did they click on the bad link, or didn’t they?
Risk measured solely by the click rate is a mirage. It can be based on a poorly executed internal campaign, or on ineffective training content. Or, sometimes, measured-risk-via-click-rate is a vanity metric designed to make vendors and security teams look good while lacking adequate sample size or context. Reporting risk to the board based on an empty metric is basically serving them junk food with empty calories; the sugar rush of saying, “Everything’s great!” will crash as soon as something bad actually happens and your team is held accountable for a suboptimal risk assessment.
What is the measured risk of a phishing attack breach?
Employee phishing simulation pass / fail rates calculated in a vacuum. If only 100 employees in a 1000-strong workforce are participating in training, then the sample size renders their results—positive or negative—inadequate. Also, remember that a phishing tool can be designed to show improvement. What does that mean? Hard content that gets easier; or content that doesn’t effectively change, so the test takers can anticipate it and game the system. And the training itself is usually delivered via punishment-by-added-cybersecurity training, which discourages active participation. When the golden metric of an awareness tool is pass/fail rates come hell or high water, then the concept of that tool is fundamentally flawed.
What is the True Risk of a phishing attack breach?
Employee engagement of phishing awareness training at a level of at least 50% of the organization, and ideally above 70%. Only then can the CISO calculate resilience with confidence, by dividing engagement rate by fail rate. A score of 14 (e.g. 70% engagement / 5% clicked-a-bad-link rate) is excellent and worth striving for, while above 10-12 (60% engagement / 5-6% simulation fails) still provides your organization competitive advantage. The Platonic ideal of 20-40 (80% engagement / 2-4% fail rate) is rare, but possible. Mind you, the engagement must be real. It can’t mean someone took one test, passed, and then was removed from testing but remains counted as a participant. Simulations must be challenging, and touch the upper echelons of the organization, just as sophisticated spear phishing and whaling attacks do. Engagement cannot be faked or taken for granted. People need to be constantly stressed with true-to-life threat simulations that evolve along with the threat landscape. Only then do pass / fail rates of threat simulations provide meaningful data for the infosec team to report to executive leadership with confidence.
In addition to overlooking engagement—we’re here to punish into compliance, not nurture towards awareness; you’re welcome!–several design flaws drive poor participation rates. Traditional punitive training programs are:
- Irrelevant and uninteresting: dry, stale, cookie-cutter content is force-fed rather than served in a personalized recipe inviting active and ongoing participation
- Failure is punished via Death by a Thousand Bad Simulations: cybersecurity awareness culture is thus associated with misery
- Made for everyone and everything except for the people taking it: it’s a test-first philosophy, not people-first
- Premised on pass/fail rates, regardless of their statistical significance: If only 10% of your workforce is participating in these tests, results are non-representative
Engagement is the bedrock of effective training and learning. It’s a pillar of meaningful risk and resilience data at the people layer. Not only does org-wide engagement lower unknown risk and raise awareness sustainably, but the act of engagement—reporting threats, both real and simulated:
- Actually strengthens the organization’s defensive perimeter at the people layer
- Serves as a distributed phishing defense tactic
- Works as a behavior change strategy, rooted in neuroscience. An undesired activity must be replaced by a healthy one to change habits, be it smoking (gum chewing, exercise) or unsafe cybersecurity practices (see something suspicious? Hit the report button!)
Measured risk is whistling past the graveyard
If the CISO walks into the board and delivers a risk assessment based on measured risk, he’s effectively whistling past the graveyard. As indicated by Verizon’s 2021 Data Breach Investigation Report, traditional phishing awareness training obscures an organization’s true risk of a breach.
“Additionally, real phishing may be even more compelling than simulations,” stated the report. “In a sample of 1,148 people who received real and simulated phishes, none of them clicked the simulated phish, but 2.5% clicked the real phishing email.”
Click rates are typically far worse than that, even; between 7.5% – 49% depending on the industry and organization, according to a major 2018 study of phishing click rates across 6 US hospitals, published in JAMA by Gordon et al. The scientists reported 95 simulated phishing campaigns comprising 2 971 945 emails produced an overall median click rate of 16.7 % across the 6 hospitals. The median institutional click rates per varied from 7.4% to 30.7%; so, 1 in 7 phishing simulations were clicked, they said. But here’s the part that should make you lean forward in your chair and smile: the study authors noted that “increasing campaigns were associated with decreased odds of clicking a phishing email.”
Engagement works. Science says so. Institutional knowledge agrees. However, the quality of that engagement is crucial. In addition to failing to achieve adequate, much less optimal, engagement rates, the DBIR report further derided traditional training programs:
“Verizon Media believes the simulations and training offered by most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives. This is why it is important to progress from the traditional security awareness model to that of using behavioral science to change the habits (emphasis ours) that lead to attack path breaking actions.” —DBIR 2021
A big part of the CISO’s job is to raise awareness. And not just of his or her employees. Executive management, too. Just as a bad phishing training will likely not move the awareness needle and kill cybersecurity culture, poorly measured risk will introduce an element of voodoo into the risk analysis delivered to the board.
Now we’re talking: Communicating true risk of a phishing attack breach to the board
Risk is the unifying language of business and information security. Business executives seek growth; security leaders fight for safety. Each can feel the other is speaking Klingon until risk enters the conversation. That’s when the CISO can stand shoulder to shoulder with the rest of the C-suite, take all the KPIs from his infosec team, and translate them into bottom-line risk metrics that help guide the business and fire up the crowd.
“As the CISO, I am a business enabler,” said Petri Kuivala, CISO of NXP. “It’s my job to explain the risk in a way that the board can make an informed business decision to put resources in the right places to lower risk while trying to make money.”