Administering a phishing test and training without knowing an employee's weakness is not only ineffective and expensive, but unlikely to teach workers how to avoid a phishing attack.
Dr. Arun Vishwanath of the University of Buffalo said in a talk at Black Hat 2017 that before any training is delivered, workers' cybersecurity skill levels have to be assessed; otherwise, they will be tested on the wrong topics. To that end, Vishwanath and a team from Buffalo have developed, and are currently testing, a 40-question test that helps determine a staffer's weak points when it comes to falling for a malicious email. The test results are then used to create a personalized training curriculum that will focus on the staffer's weak points.
“It's a diagnosis,” he said, noting the current system in use is like going to the doctor and having him throw pills at a patient, hoping that one of them cures the illness without bothering to ask what is wrong.
The test checks to see if the person's problem lies with a basic misunderstanding of cybersecurity or if he or she is the type of person who clicks on links from a trusted source, like Google or Amazon. Once this is determined, the IT staff can address the employee's specific problem.
“We don't have a people problem, it's an understanding of people problem,” Vishwanath said.
In testing this approach Vishwanath has delivered some promising results, and he believes if implemented, a company could see the click-through rate on malicious emails drop to under five percent.
This would represent a huge change from the current style of testing and training that focuses on either intensive classes or having companies phish their employees and then using either positive or negative reinforcement to illicit the proper response. Vishwanath cited several studies that showed these methods do not result in any meaningful change in behavior.
One of the studies conducted by Vishwanath's team took 400 employees from an unnamed company, trained half of them using the other methods, and left the remainder as a control group. The end result was that 32 percent of the trained people clicked on a phishing email when tested, compared to 35 percent of the untrained control group.