The US National Institute of Standards and Technology (NIST) has said it has developed a way of measuring precisely why corporate staff click on obvious phishing emails and open malware-laden attachments, despite warnings not to do those things.
"Many organizations have phishing training programs in which employees receive fake phishing emails generated by the employees' own organization to teach them to be vigilant and to recognize the characteristics of actual phishing emails," said NIST in a statement announcing its new Click Scale.
This scale, said the institute, is intended to help CISOs figure out why idiot users well-meaning staff keep clicking on phishing emails and their attachments, typically unleashing everything from common-or-garden infostealers to full-blown ransomware infections.
A training tool rather than something to deploy as part of a production environment, the Phish Scale uses a five-point scale to determine why click rates for some training emails (fake phishing messages used by a blue team) are lower than others.
"The new method uses five elements that are rated on a 5-point scale that relate to the scenario's premise," said NIST. "The overall score is then used by the phishing trainer to help analyze their data and rank the phishing exercise as low, medium or high difficulty."
A detailed paper about the training technique (link below) explained how training emails tend to be targeted at present, breaking that down into specific categories: "Error – relating to spelling and grammar errors and inconsistencies contained in the message; Technical indicator – pertaining to email addresses, hyperlinks and attachments; Visual presentation indicator – relating to branding, logos, design and formatting; Language and content – such as a generic greeting and lack of signer details, use of time pressure and threatening language; and, Common tactic – use of humanitarian appeals, too good to be true offers, time-limited offers, poses as a friend, colleague, or authority figure, and so on."
The idea is that infosec bods can then use that data to tailor their phishing training in the hope of avoiding the scenario where obvious training emails are easily spotted, click rates are low, and the C-suite are left thinking their staff know everything there is to know about not getting phished.
An academic paper about the Phish Scale – a piece of in-house NIST research carried out by Michelle Steves, Kristen Greene and Mary Theofanos – can be found on the NDSS Symposium website as a PDF. ®