https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • MSP 501 Rankings
    • NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Channel Futures 20: Top Tech Providers
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • MSP 501 Rankings
    • NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Channel Futures 20: Top Tech Providers
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

From the Industry


Getty Images

Sponsor Content

security awareness training

Finding Security Awareness Training Balance

  • Written by Webroot Guest Blogger
  • November 30, 2021
Here’s how to ensure that your security awareness training is neither too hard nor too easy.

Earlier this year, the National Institute for Standards and Technology (NIST) published updated recommendations for phishing simulations in security awareness training programs. We discussed it on our Community page soon after the updated standards were released, but the substance of the change bears repeating.

“Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.” – NIST SP 800-53, Rev. 5, Section 5.3 (pg. 60)

This update includes a recommendation for “no-notice” phishing simulations to be delivered at the beginning of security awareness training programs to more accurately gauge the readiness of a set of users to recognize a phishing attempt. The thinking is obviously that letting users in on the phishing simulation game will heighten suspicion of their inbox and skew baseline results. This concern can be thought as a spin-off of the well-studied “observer effect” known in many scientific fields: Observing the behavior of something necessarily changes that behavior.

While it might be tempting for a chief information security officer (CISO) or other IT professional to take high grades on a phishing simulation as a sign of a job well done, that can be a dangerous conclusion to draw. Phishing tests that are too easy do little to address a problem that’s become one of the most common methods of entry for ransomware attacks. If IT professionals grade on a curve here, they’re doing very little to improve their organization’s overall cyber resilience.

Combatting this false sense of confidence about users’ ability to spot phishing attacks requires making sure simulations aren’t too easy to spot.

What Makes a Phishing Simulation Too Easy?

After putting some thought into that question, NIST researchers published a paper last year in the Journal of Cybersecurity citing three key criteria for determining if a phishing simulation makes for good training.

According to the authors, “low click rates do not necessarily indicate training effectiveness and may instead mean the phishing emails” were:

  1. Too obvious: Either errors were too overt, or these templates were running something akin to the Nigerian Prince scam. Either way, they won’t help an employee overcome today’s more sophisticated phishing attempts.
  2. Not relevant to staff: We’re all busy at work, so deleting an email offering 25% off at Ed’s Golf Cart Repair Shop doesn’t mean a user is an expert at spotting scams. It just means there was nothing in the simulation that enticed the user to click.
  3. The phish was repeated or was similar to one that was: Phish me once, shame on me … But, seriously, this drives home the importance of having a wide range of phishing templates. These programs work best when they’re ongoing, so it’s important to switch it up.

On the other hand, a phishing simulation is convincing if it does the following to some degree:

  • Mimics a workplace process or practice
  • Has workplace relevance
  • Aligns with other situations or events, including those external to the workplace
  • Presents consequences for not clicking (for example, buy gift cards or we lose the client)
  • References targeted training, specific warnings or other exposure

Tip: NIST has devised a weighted version of this scale, “the phish scale,” that you can use to determine the difficulty of your simulations. A phishing simulation that has all of the above characteristics would be considered extremely difficult. That’s good, right?  Click on Page 2 to continue reading…

  • Page 1
  • Page 2
Tags: MSPs Intelligence Best Practices From the Industry Security Webroot Sponsor Content

Most Recent


  • td synnex ciso
    The Gately Report: TD Synnex CISO on Protecting the World's Largest Distributor
    Apria Healthcare takes years to report massive data breach.
  • ransomware attacks
    Survey: Backups Are Prime Targets for Ransomware Attacks, Most Remain Exposed
    Veeam’s 2023 Ransomware Trends Report shows many pay ransom but don’t always recover.
  • call for speakers
    Channel Futures Leadership Summit Call for Speakers Open
    Speaker applications for “The New Style of Leadership” are open until July 3.
  • Faces of the Partner
    Faces of the Partner: 6 New Tech Advisors Entering the Channel
    A significant portion of the partner community is retiring. Who will replace them?

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • cyberthreats
    Top Cyberthreats for Partners to Look out for in 2022
  • There’s Still Time to Capitalize on UCaaS Opportunities
  • future of the MSP
    The Future of the MSP: What Today’s IT Leaders Have to Say
  • buyers needs
    The New Buyer

Upcoming Events

View all

Channel Partners Europe

June 13, 2023 - June 14, 2023

Channel Futures Leadership Summit

October 30, 2023 - November 2, 2023

Channel Partners Conference & Expo

March 11, 2024 - March 14, 2024

Galleries

View all

The Gately Report: TD Synnex CISO on Protecting the World’s Largest Distributor

May 30, 2023

Survey: Backups Are Prime Targets for Ransomware Attacks, Most Remain Exposed

May 26, 2023

Faces of the Partner: 6 New Tech Advisors Entering the Channel

May 26, 2023

Industry Perspectives

View all

Dell Technologies World: Dell Apex Expanded Across On-Premises, Cloud and Edge

May 22, 2023

Identity Is Increasingly Valuable – and Targeted

May 18, 2023

Gaining a Competitive Advantage through AV Managed Services

May 10, 2023

Webinars

View all

From Problem to Profit: Mastering the Science of Selling Using Business Outcomes

May 9, 2023

Meet the 2023 Channel Futures Channel Influencers

April 13, 2023

DE&I Dialogue: How the Right DE&I Initiatives Can Propel Your Business

April 5, 2023

White Papers

View all

6 UCaaS Reseller Challenges and How Real World Businesses Solved Them

February 1, 2023

Frost Radar: North American UCaaS Market, 2022

February 1, 2023

The Complete Guide to White-Label UCaaS for Reseller Success

February 1, 2023

Channel Futures TV

View all

Coffee with Craig and James Episode No. 123: MartinWolf M&A Advisors, CP Expo Preview

UScellular Takes On Rivals with Partner Program Simplicity

April 21, 2023

OpenText Simplifying Deal Registration, Doubling Down on MDF

April 21, 2023

Everything-as-a-Service: CloudBlue Touts Critical Customer Transition

April 18, 2023

Twitter

ChannelFutures

Our latest #GatelyReport includes a Q&A with @TDSYNNEX CISO Dan Lasher, #cyberattack in Augusta, Georgia, Apria Hea… twitter.com/i/web/status/1…

May 30, 2023
ChannelFutures

Who has been a diversity, equity & inclusion role model in your career? Take a moment to honor their initiatives in… twitter.com/i/web/status/1…

May 29, 2023
ChannelFutures

Paul Green @msp_voice will help MSPs gain more #customers and #sales at @ChannelEurop June 13.… twitter.com/i/web/status/1…

May 26, 2023
ChannelFutures

.@coalesceIO unveils revamped partner program. #datatransformation dlvr.it/SphJm4 https://t.co/s7fYAVmFGD

May 26, 2023
ChannelFutures

.@Veeam #Ransomeware survey: backups are not adequately protected, 85% suffered at least 1 attack in past year… twitter.com/i/web/status/1…

May 26, 2023
ChannelFutures

.@MSPSummit call for speakers is open now through July 3. The theme for this year’s summit is “The New Style of Lea… twitter.com/i/web/status/1…

May 26, 2023
ChannelFutures

Channel Futures interviewed six individuals who started an agency in the last two years. dlvr.it/SpgV6l https://t.co/JXKhJcw31A

May 26, 2023
ChannelFutures

Channel Futures interviewed six individuals who started an agency in the last two years. dlvr.it/SpgTQg https://t.co/7eIp0XgwQ2

May 26, 2023

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X