Category Archives: Uncategorized

Improving security culture by stopping toxic behaviours

  • Internal website use non-recognized SSL certificates while you try to educate your staff to distrust non-SSL and badly signed websites
  • The company is using external email addresses for official internal communications or actions (like for surveys, training, HR, and so on) while you try to make people to be warned by such kind of emails
  • The company is using a zilion different domains for their internal and external website(s) while you try to educate people to recognize the good one(s) from the bad ones

Rings a bell? All these “accepted ” deviation to the common sense and usability makes it even more difficult to educate your staff and change their behaviour. It is like trying to explain the principle of a good diet to your kids while eating a big donut and giving them candies. It’s like slapping their hands when they do something wrong but forcing them to do it so they can do their jobs. In psychology, we call that a double bind and it is believed to be at the source of some psychological diseases. So, imagine what it does to your staff and how adverse it can be to your attempt to develop a positive security culture.

So, should we put a focus on getting rid of toxic behaviours first? I think so. Do you?

Phishing: KPI or KRI?

This image has an empty alt attribute; its file name is KPIorKRI.png

Some questions seem to have no definitive answers. The egg and the chicken is one of them, and within the small world of Phishing, KPI or KRI is another one.
The question seems trivial. Do we consider the risk or the performance? Do we want to measure how many of our people will likely fail a phishing test or how many will detect it? It is the kind of question most people would likely dismiss. Just pick one, could we say. However, there is more to it than meets the eye.

We use Key Risk Indicators and Key Performance Indicators to help steer our company. They must provide relevant information allowing us to decide if we are on the right track, at the right speed and in the right direction or with the right level of protection. The burn rate and the net profit margin are standard financial KPIs. They allow us to know where we are going financially. What kind of indicator would best achieve the same objective when it comes to Phishing?

Phishing is a risk for most, if not all, companies. If we consider the risk approach, using a KRI makes sense. We often use the click ratio to measure the risk of a company being vulnerable to a phishing attack. Risk officers usually calculate it using the number of people clicking on a phishing link divided by the number of people who received the email. It makes sense, no? No! Not entirely at least. First, it does not measure the actual risk. Second, it is not an accurate measure of the risk.

Let us take a closer look at the question.

First, clicking on a link in an email will most probably cause no harm. The danger comes afterwards when users disclose credentials on a phishing website or open a file they just downloaded from it. The other possible threat with a phishing email is to open a malicious attachment. It will allow the propagation of ransomware or the installation of malware.

If we want to measure phishing related risks, these three behaviours are our more relevant candidates. One could say that clicking on an attachment or a link is still clicking. True, but not true. Our researches, confirming others, shows that we can have a reduction in the likelihood of clicking a malicious link and, still, having many people opening attachments. If we do not train our users specifically to be vigilant with files, they will not be as cautious as with links. Consequently, we should have multiple risk indicators, one for credential disclosure, one for downloading and opening files, and one for opening attachments. A KRI can be build up using the average or the worse result of these three indicators.

Still, we would not have an accurate measure of these risks. As discussed in a previous post (https://www.apalala.be/phishing-exercises-do-we-measure-them-right/ ), the variance between scenarios is way too high to be able to extrapolate a risk exposure using one situation only. The only reliable result we will have from a test using one scenario is the likelihood of our users to fall for this particular scenario at that moment. Is it enough to make an informed decision? Unlikely.

Worse, we cannot predict with certainty which scenario will have more impact. In other words, the margin of error of such measurement is probably around 40%. We can easily agree that we cannot rely on such an uncertain result to take any decision. Somehow, we should probably accept that measuring our risk exposure is difficult and move to another indicator.
Instead of the risk of failing, we could use our performance in detecting, and reporting, phishing email as an indicator. We could think of the performance in detection as the opposite of the failure. That would be a mistake. Let us have a look at the split of possible behaviours when people receive an email. We can see on the pie that there is a large part of it that is neither green (Detection and reporting) nor red (failure).

This image has an empty alt attribute; its file name is PhishingBehavioursPie.png
Analysis of a typical phishing exercise

The number of people reporting phishing emails is not complementary to the number of people failing the phishing exercise. First, we can fail the test and still report. We should even make that mandatory. It shows that, despite having failed the exercise, we have understood it is essential to pay attention and to report. It emphasizes that accidents may happen, but we still have to perform the expected behaviour.

On the other hand, the subject could have opened the email and just deleted it or ignore it. He may believe that it is a genuine email, and might process it later. The scenario will also have a significant impact on the result. When the scenario is more relevant for the targeted population, there is more chance that the people will fail or detect it as more people will open it. For this reason, we should measure the performance using the ratio between the number of people reporting the phishing email divided by the number of people opening the email. That gives us an accurate view of the percentage of people in our organization performing the expected behaviour, whether they were able to detect the phishing exercise or not. We still have an issue with the false positive that we will discuss in the next post.

There is no perfect way of measuring the risk related to Phishing. However, the four scenarios protocol discussed in our previous post gives us a reliable measure of the effectiveness of training. It is the right candidate for a Key Indicator. Measuring the ratio of phishing reports also provides relevant information regarding Phishing education and cybersecurity culture. We should use both indicators while keeping in mind what they measure. If we read an instrument in a plane and misinterpret the value, it can lead to an accident. It could also happen with our Key Indicators.

I have finalized a short story to summarize how we can address Phishing from a human and a technical point of view. Let me know if you are interested in having a copy.