Phishing is prevalent because it provides big rewards for relatively little effort on the part of a hacker. The past decade of security research shows that employees regularly fall victim to attacks and that phishing is considered one of the easiest ways to access corporate infrastructure. Per recent statistics, 25% of your employees will be phished in the next 12 months and when they do, they’ll inadvertently involve themselves in one of these malicious activities:

  • Click a link that leads to a download website
  • Post sensitive information to websites
  • Open high-risk attachments

Measuring the effectiveness of any program should be based on performance outcomes. For security awareness programs, this entails charting secure vs. insecure practices and measuring them–both before and after the program. For a phishing simulation program the following KPIs could be used:

Serial Clickers rate: The % of employees that are failing sequential in the most recent campaigns (high-risk group)
Employee Resilience Score: The average number of successful simulation between failures (for the employees that are failing)
Group Risk distribution: the distribution of employees between high, medium, and low-risk group

Awareness is defined as “knowing that something exists”. Phishing awareness means that employees are aware of the existence of fraudulent email.” Unfortunately, awareness does not drive action. As security professionals, we’re interested in safe practices rather than convictions so from a corporate security perspective the goal is to help Jane avoid a phishing email without knowing what it means rather than the other way around. Most awareness programs are focused on making employees aware and are measured accordingly If phishing concerns you, you should take the required steps to reduce the chances that employees will actually fall prey to it.

CybeReady’s onboarding process (time-to-value) is essentially 48 hours. All we need is a file with your employee address book (name, email, role, region/language) and for you to whitelist our domains. However, the actual time-to-value highly depends on the customer collaboration and willingness to provide the necessary input within the requested time window, After all, this is a joint effort!

CybeReady requires nearly zero effort to operate. It’s fully automated and powered by a smart data engine that was designed to select, assign, customize, modify and analyze the simulations per each user better than any human-operated solution.

When calculating the total cost of a security awareness training program three elements should be factored in:
(1) Product cost (e.g. subscription fees, software license)
(2) Time: the time your IT team has to invest in order to deploy and operate the solution
(3) Number of simulations: how many times was the solution used to generate value

When looking to purchase a phishing simulation solution, most companies only calculate the product cost and fail to include the cost of required time to operate and most importantly how value (# of simulations will be retrieved).

On-the-job (OJT) training also known as JIT (Just in time) is a training paradigm that calls for training employees through performance in real life scenarios and immediate feedback. OJT and experience-led training is especially important for the implementation of practices, rather than theoretical knowledge. As phishing requires the implementation of secure practices, training methods that emphasize practice over memorisation have higher chances to succeed.

It’s true that if we scheduled all phishing simulations according to predefined times of day, it would allow help desk personnel to better prepare and reduce the overall cost. However, when performed this way, it might invoke a social desirability bias in which employees over-report to the help desk because they’re now aware of an ongoing exercise and their willingness to receive a good score. Minimizing help desk calls is a combination of simulation scheduling (evenly spreading campaigns across the month) email content variation and proper training of the help desk team prior to the simulation.