The Language of Cyber Attacks by Aaron Mauro

Author:Aaron Mauro
Language: eng
Format: epub
ISBN: 9781350354708
Publisher: Bloomsbury Publishing Plc
Published: 2024-06-24T00:00:00+00:00

Ethical Phish

If your workplace begins referring to employees as family, you know that they are either not paying you enough, cutting your benefits, or conducting a phishing simulation. The ethics of ethical phishing has long been an issue within institutions with many managed accounts. Universities, corporations, and governments often test their employees by asking (or forcing) them to participate in “phishing simulations.” A phishing simulation allows IT security to test users’ ability to detect deceit, like email or any other cloud service with messaging—by attempting to tricking them into clicking, downloading, or otherwise engage in risky behavior that would result in a point of compromise. The simulation is generally designed to test security policies and practices, as well as train users to reduce susceptibility to legitimate attacks. There is a broad consensus among vendors of phishing simulation services about some basic ground rules: avoid playing on an employees’ trust in the organization, including a lure predicated on bonus pay-outs, losing work benefits, termination notices, loss of personal possessions in the workplace, or personal company-protected data leaks; avoid threatening an employees’ homes or personal sense of security;81 avoid embarrassing or shaming employees; and avoid punishing employees for making a mistake during a simulation.82 It is more than a little concerning that any of these ethical practices need to be spelled out, but here we are.

To conduct an ethical phishing simulation, several best practices are recommended. First, a pre-launch campaign should be initiated to clearly define the purpose and scope of the phishing simulation, establish lines of communication for the duration of the test, and ensure that managers are equipped to support their teams. Second, the simulation should be designed with the mental well-being of participants in mind, considering the potential for heightened anxiety or panic. Lastly, it is crucial that the results of the simulation are communicated transparently to employees, and that any subsequent training is framed as a supportive measure rather than a punitive action.83

There are many vendors for these services and all large cloud service providers offer documentation on how they will run a successful phishing simulation. While this is a common security service offering that helps managers feel as though their employees are well trained, the effectiveness of human subject experimentation as a testing and training exercise is not clear. There is good research suggesting that phishing simulations do very little to reduce susceptibility to phishing in the workplace, specifically in the university context, in actual terms.84 The authors of a study exploring the susceptibility to phishing in the university-based workplace report “67 percent of employees who respond to simulated phishing attacks are repeat victims and therefore likely to respond to phishing emails more than once.”85

The authors of this study used many of the terms associated with Hadnagy’s central tenets of manipulation and influence defined under social engineering, including authority, urgency, reciprocity, and scarcity.86 The authors of this study went on to discover that urgency and authority cues “contribute to increased susceptibility with a workplace setting.”87 Perhaps most

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.