Phishing attacks are a constant challenge for businesses everywhere. As threat actors increase the sophistication of their methods, security awareness teams can use phishing simulations to help train employees to recognize and respond safely to real-life phishing attempts.
This approach can be especially effective when the difficulty level of a simulated phishing scenario fits each person. That’s why security practitioners need to make impartial, data-driven decisions when they choose those difficulty levels.
In this post, we discuss the importance of objectivity—both for security practitioners who send phishing tests and for security leaders who evaluate the outcomes. With a reliable way to score phishing simulations, you can:
- Efficiently test and find your employees’ knowledge gaps
- Reliably target and improve user behavior on an ongoing basis
- Report a trusted big picture of human risk reduction
1: Efficiently test and find your employees’ knowledge gaps
The big question is, how do you find the right phishing difficulty level for each person? Security practitioners must have a reliable, consistent way to evaluate the phishing simulation templates. And they must avoid subjective guesswork. It is vital to be correct in your assessments of the difficulty levels of phishing templates. Otherwise, the templates may be too easy or too challenging for people. And that will make it hard for you to know what your employees will do in real-world attack scenarios.
An objectively measured difficulty scale is a must. It sets the foundation for sending phishing tests that fit the right level of difficulty for each employee so that you can assess what they do and don’t know. Once you can effectively evaluate their knowledge gaps about cybersecurity, you have reliable context that will help you decide what targeted training each person requires.
With Proofpoint Security Awareness, we run a machine-learning algorithm that automatically calculates the difficulty level of our phishing templates. Difficulty cues are based on the NIST PhishScale. This is an industry-accepted rating by the National Institute of Standards and Technology (NIST), which was created through rigorous research and analysis.
Our Machine-Learning Leveled Phishing uses this combined methodology to avoid the errors that come from manual calculation and subjective assumptions. For instance, if security practitioners manually rate the difficulty level of phishing templates, they might each evaluate the suspicious cues with degrees of variance. They might use personal judgment that has logical mistakes or inadvertently apply their own biases, or they might interpret the cues from a limited viewpoint. Also, since many people typically run an awareness program, each person’s definition of easy versus difficult will be different.
2: Reliably target and improve user behavior on an ongoing basis
How do you know whether a phishing simulation is effective? When you trust the objectivity of a difficulty scoring system, you can trust that a phishing template is accurately rated as low, medium or high difficulty.
This gives context to why a phishing campaign has a low or high click rate, or a low or high reporting rate. A low click rate for a high-difficulty simulation means that your employees are resilient about those cues for spotting a phish. A decrease over time in the click rate for that template shows an improvement in people’s resilience.
Security practitioners have predictable baseline data to help target and change people’s behavior on an ongoing basis. You can look at who falls for each difficulty level and know that the metrics are a reliable analysis of the user’s performance. That, in turn, makes you more effective in your efforts to target performance outcomes.
In contrast, if you take a subjective approach when you rate the difficulty scoring, the effectiveness of a phishing template could be murky. When people score based on their perception and judgment, the assessment becomes inherently flawed. And when that happens, the phishing simulations that are paired with employees could artificially impact the data outcomes.
In Proofpoint Security Awareness, our Leveled Phishing templates are objectively scored as beginner, intermediate or advanced. The levels are rated by machine learning, rather than humans. That means each “advanced” level template is consistent with the other advanced templates. You can feel confident about giving a high-difficulty advanced template to employees who have intermediate knowledge so that you can keep upleveling their training.
This consistency also enables practitioners to select follow-up training that matches the level of the difficulty rating. This ties into the greater benefit of our Adaptive Learning Framework. This is the Proofpoint approach to security education, which goes along a progressive scale from basic habits to advanced concepts. Adaptive learning ensures people are trained on the right level of difficulty that is tailored to their individual needs.
3: Report a trusted big picture of human risk reduction
The goal of phishing simulations—and security awareness overall—is to reduce human-centric security risk. You need trustworthy metrics to report the big picture of risk to your stakeholders. Whether you are talking to the director of security, the CISO or the executive board, phishing metrics can help to show the impact your program is having on organizational risk. You can also justify employee training time.
In short, phishing campaigns that use objective difficulty scores can give you a better story to tell your stakeholders. The reporting data provides more context about the actions, or the non-actions, of employees. You can measure the difficulty level and use it as a factor to explain why there is a lower click rate on a campaign. And if management asks you why the phishing campaigns are harder this quarter, you can explain the reliable data behind why you sent high-difficulty templates to users.
As threat actors create more advanced phishing attacks, organizations must advance their employees’ security skills to keep pace. With Proofpoint Security Awareness, Leveled Phishing helps ensure that your users’ skills and knowledge are tested by phishing simulations that look like real-world threats. Leveled Phishing can help you to achieve better security outcomes. It also makes it easier to communicate your successes to others.
Get maximum impact with Proofpoint
All people are different. So are all phishing templates. To uncover knowledge gaps and target the risk level of each user, security awareness teams need to determine the difficulty level that fits each employee.
When you send phishing simulations with objectively established difficulty levels, you can realize many benefits. Top among them are the ability to:
- Improve the effectiveness of targeted training
- Align additional training more closely with phishing results
- Strengthen adaptive learning with progressive tailored training
- Get better metrics about resiliency to real-life phishing
- Paint a more detailed picture that moves your program forward
- Improve the security posture of your business
Be sure to integrate this activity with an understanding of your company’s unique risks. An awareness of current phishing trends and techniques is essential, too.
At Proofpoint, we use industry-leading threat intelligence to build phishing simulations that reflect real-world threats. We wrap those phishing tests and training materials around an adaptive learning framework that you can use to teach your employees with a progressive and personalized approach.
To learn more about Proofpoint Security Awareness, see our product page.