The ethics of ethical phishing

How to conduct ethical simulated phishing campaigns

Of the infosec professionals surveyed for Proofpoint’s latest ‘State of the Phish’ report, 83% reported they had experienced phishing attacks in 2018 – up from 76% in 2017.

Senior company executives confirm as much, with many reporting they now receive increasingly personalised phishing emails as frequently as daily. With emerging threats becoming ever more sophisticated, it’s little wonder senior execs are asking infosec teams to stem the tide.

In response, many large organisations are turning to simulated phishing.

 

‘Ethical’ phishing?

You may have conducted simulated phishing campaigns in the past. That is to say, you may have sent deliberately deceptive emails to people to gauge their response. Do people click dubious links? Are emails reported as suspicious? Has investment in security awareness training paid off? 

Such simulations can provide useful data on security awareness and behaviours, which helps to quantify risks and identify vulnerabilities. However, measuring phishing vulnerability is more complex than it might seem – especially in multinational organisations.

As researchers from a recent study at the University of Bath said: “It is increasingly clear that a one-size-fits-all approach [to phishing] is unlikely to be sufficient, with the wider message, individual and context-related factors…requiring attention.”

Indeed, the debate over the usefulness of simulated phishing continues. Some believe, for example, that simulated attacks breed a negative, blame-based security culture, something the UK’s National Cyber Security Centre (NCSC) says is simply ‘not OK’. Security training, the NCSC says, should be about ‘building confidence and empowering users’ so people can make informed decisions. The organisation goes on to denounce punishing people or catching people out – sentiment that both CybSafe and The Security Company agree with.

 

The ethics of deception

That said, both CybSafe and The Security Company believe simulated phishing can empower people to prevent innovative emerging threats. In any endeavour involving human participants, there’s a right and wrong way to do things. Clearly, conducting an ethical phishing campaign involves deception. In deliberately sending people a link they shouldn’t click, or asking people to disclose sensitive data to an untrusted source, security professionals raise questions of trust, self-control, self-awareness, responsibility and accountability.

It’s reasonable to assume deception may trigger anxiety and/or distress.

People who feel they have made security mistakes may feel, say, guilt, or even shame. As always, security professionals must take steps to mitigate the negative consequences associated with the security interventions we employ.

The last thing we want to do is antagonise our workforce, or cause unwarranted emotional distress among employees, or reduce faith in management effectiveness.

 

How to ethically phish your employees – the basic steps required

Pre-launch

Prepare suitable notifications for internal communications channels, and ensure senior management, key business units and staff representative groups understand the reasons for the proposed simulated phishing campaign.

Prepare your fraudulent email text and identify your key metrics.

Launch

Remain mindful of the wellbeing both of those who will receive the fake emails and those conducting the campaign. Seek guidance from whoever has responsibility for occupational health – consider how anxiety and panic should be handled – and include any preparatory measures in this regard. 

Going further, clearly, you must ensure your people know how to respond to suspicious emails. If the campaign is part of your security awareness training programme, make sure all those in the campaign have received prior training. Don’t set your people up for failure.

Post-launch and follow-up

Consider your audience and how you will communicate the results, including how you will debrief individuals. 

Post-campaign focus groups can provide nuanced insights into the contextual factors that may influence susceptibility and awareness. Focus groups can also reduce the likelihood of individuals feeling targeted. They serve to promote discussion among colleagues, further raising awareness of security behaviours.

 

To err is human

If you get it right the care you take when conducting simulated phishing campaigns may translate into the care your people take in protecting your organisation. Consider the cultural, emotional, cognitive, motivational, technical and other organisational factors at play in people’s security behaviours, and design mitigations around said factors accordingly. 

Identify risky behaviours, but then seek to understand and influence the mechanisms driving the behaviours – ethically, and with skill.

Bring added value to the whole organisation by recognising that the language of threat and blame has limitations. Instead, shift the focus towards building a culture of security and support.