To really solidify this learning process, it’s also best to retest these users a week or so after the
               initial simulation. If individuals consistently fail both simulations in each round of testing, further
               action may be required.


               Consistency is everything

               As you probably already realized, this type of program never really ends.  More sophisticated
               simulation  campaigns  can  always  be  constructed,  and  employee  churn  rates  will  inevitably
               ensure the need for an ongoing phishing defense program.
               As  a  rule,  testing  your  employees  once  per  month  (and  retesting  any  who  fail)  is  a  good
               baseline in terms of frequency.

               But no matter how good, and how consistent, you are, mistakes will always be made. We are
               talking about people here, not machines, so reaching a 100% success rate is not a reasonable
               goal.

               For this reason, I would never suggest a program like the one I described could replace the
               need  for  technological  controls,  incident  response  professionals,  or  high-quality  security
               products. What I would say, however, is this if you are truly committed to fighting back against
               phishing, you’ll need to have both you users and technology on your side.














                    16   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.