Re: Faculty Acceptance of Security Awareness Education?

[Ken Connelly <Ken.Connelly () UNI EDU>]

Steve Romig wrote:
> On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:
> > I'm friends with the phishme guys and the metrics they have are 25%
> > of people fall for unsophisticated attacks and 75% fall for
> > sophisticated attacks.
>
> If that's true, then wow.
>
> Does anyone know of any actual studies about response rates to
> phishing attacks and effectiveness of training (or for social
> engineering attacks in general)?  I've got a friend in the consulting
> business who does phishing attacks for the banking industry, and he
> claims a 7% pre-training response rate for semi-sophisticated attacks
> (some effort made to make the phish look credible - attaching names of
> actual bank execs, use the bank's name in the email, no
> spelling/grammar mistakes, etc.)
>
> 7% is a far cry from even 25%, let alone 75%.  I've heard other
> numbers from other people, and I don't have any grounds to disbelieve
> any of them (and they could all be true in their own contexts, anyway).
>
> --- Steve
Don't forget, the "phishme" guys help their cause by using the highest
possible numbers they can justify - it helps them make a case that their
services are needed.  It's the same theory behind why end-user personal
firewalls are so incredibly noisy - to make the user constantly aware
that the software is very active and worth the cost.  After all,
wouldn't you be happy that it stopped an "attack" (single packet) on
port 23423?  Even though there's no daemon listening to that port?

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373