Gotcha or Guidance: Redefining Phishing Training

In the late 19th and early 20th centuries, a series of devastating fires spurred public outrage and demands for action from the nascent fire protection industry. Initially, experts focused on “Fire Evacuation Tests,” which aimed to evaluate individual performance by measuring how quickly occupants could evacuate, often through surprise drills mimicking real fires. These early tests frequently resulted in more injuries than improvements in safety.

It wasn’t until the introduction of better protective engineering—such as wider doors, push bars at exits, firebreaks in construction, and illuminated exit signs—that survival rates from building fires began to significantly improve. Building fire safety into a structure was far more effective than training humans to detect and respond to fire threats in vulnerable edifices.

Test or Drill

Phishing tests are unannounced simulations where employees receive fake phishing emails designed to mimic real threats. These tests aim to assess employees’ ability to recognize and respond to phishing attempts. If an employee clicks on a link or enters credentials, they are typically notified of their mistake and provided with educational material to prevent future errors. The primary goal of phishing tests is to identify vulnerabilities and gauge the overall security awareness of the staff.

Phishing drills, in contrast, are pre-announced training exercises that inform employees in advance that they will receive a phishing simulation. These drills are designed to educate employees on recognizing phishing emails and the steps they should take when encountering one. The focus is on training and reinforcing proper behavior rather than catching mistakes. Phishing drills provide clear instructions and specific tasks, emphasizing recognition and reporting over testing employees’ reactions under surprise conditions.

Why Phishing Drills Are Superior

Matt Linton, a Chaos Specialist at Google, argues that phishing drills are superior to phishing tests for several key reasons:

1. Building Trust: Phishing tests can erode trust between employees and the security team. Employees often feel tricked or deceived by these surprise tests, leading to frustration and a sense of being targeted. This negative sentiment can hinder the collaboration and trust necessary for effective security practices.
2. Effective Training: Phishing drills prioritize accurate training by explicitly teaching employees what to do when they encounter a phishing email. By announcing the drill and providing relevant instructions, employees can focus on learning and applying the correct actions without the anxiety of being tricked.
3. Focus on Reporting: Drills emphasize the importance of reporting phishing attempts, a critical component of an organization’s defense strategy. Employees learn to recognize phishing threats and understand the appropriate response protocols, leading to a more prepared and vigilant workforce.
4. Positive Reinforcement: Instead of penalizing employees for mistakes, phishing drills create a supportive learning environment. Employees receive guidance on proper procedures, reinforcing positive behavior and reducing the fear of repercussions from failing a test.
5. Alignment with Best Practices: Linton draws a parallel with fire safety practices, where regular, pre-announced evacuation drills have replaced surprise drills. This shift prioritizes training and preparedness over the element of surprise, leading to better outcomes and a more resilient organization.

Conclusion

In summary, phishing drills offer a more effective and employee-friendly approach to cybersecurity training. By focusing on education, building trust, and reinforcing proper responses, organizations can foster a more knowledgeable and proactive workforce. Transitioning from phishing tests to phishing drills aligns with best practices in training and emergency preparedness, ultimately enhancing the organization’s overall security posture.

For more insights, refer to Matt Linton’s blog post On Fire Drills and Phishing Tests, published on May 22, 2024, in the Google Security Blog.

Should We Bother?

Wolfgang Goerlich posted a hot take on LinkedIn that is less and less of a hot take these days: “Our industry needs to kill the phish test.” Podcast host Adrian Sanabria has been on the fence when it comes to phishing simulation, partly because he used to phish people as a penetration tester. It always succeeded, and always would succeed, as long as it’s part of someone’s job to open and read emails. Did that make phishing simulation a Sisyphean task? Was there any value in making some employees more ‘phishing resistant’? And who is in charge of these simulations? Who looks at a fake end-of-quarter bonus email and says, “yeah, that’s cool, send that out.”  For more, see https://www.scworld.com/podcast-segment/13059-do-phishing-tests-do-more-harm-than-good-wolfgang-goerlich-esw-376.