Maksim Kabakou - Fotolia

Security Think Tank: Making a game of phishing

What are the most effective types of security controls and end user training approaches to dealing with phishing?

Phishing continues to be the most popular route for cyber criminals, and was number one on the Top 10 Common Threat Techniques list in the (ISC)2 Global Information Workforce Study.

Given that anyone can fall victim to a phishing attack, in each organisation there is a need to raise awareness and do more on education. This should take place not just in cyber security and risk teams, but more importantly across the entire employee base.

Educating people on what to look out for in phishing emails is always going to be difficult, particularly in the case of increasingly sophisticated spear phishing attacks. To add to that, the busy rhythms we all work imply there’s often little time to think while reacting to an already packed mailbox. An employee might think, “So what if I click on this link?” or “My IT/security department should be able to protect me if I open this attachment from an unknown source.

As a result, employees are often unaware of the consequences to their actions. The simplest way of breaking out of this mindset and educating people is by gamifying the process of falling victim to a phishing attack.

Read more from the Computer Weekly Security Think Tank about approaches to anti-phishing training

A good analogy is to compare an organisation to the human body’s immune system. To become immune to a disease, it has to be vaccinated. This involves introducing the body, or in this case the organisation, to small, weak doses of the disease so it knows what its looking for.

This YouTube video explains how Twitter implemented this concept very well.

In this analogy, the vaccine is telling people not to click on strange links. If they don’t know whether they should click or not, they should ask their colleagues, who might be able to help.

When new employees who are not vaccinated join the organisation, it needs a “booster shot”. This is where gamification comes in.

The security team at Twitter actively runs spear phishing campaigns with a number of different attacks to test employees on what they are susceptible to. These are different to awareness programmes, as they are trying to trick staff into falling for it.

We are teaching our employees how to better deal with phishing attacks by gamifying them and encouraging a discussion
Yiannis Pavlosoglou, (ISC)2

The aim, however, is that over time they learn the security culture of the organisation and what to flag to the security team. The business becomes safer as a result.

The security team maintains a feedback loop with new employees, monitoring if they click links or are familiarising themselves with what phishing attacks look like. After these campaigns, the security team concisely explains what employees fell for, what they did well on, and how they are protecting the organisation.

In essence, we are teaching employees in our organisations how to better deal with phishing attacks by gamifying them and encouraging a discussion.

Yiannis Pavlosoglou – chair of EMEA advisory council at (ISC)2 and strategic change manager for operational resilience at UBS.

Read more on Security policy and user awareness