Educause Security Discussion mailing list archives
Re: Phishing and Security Awareness Training - Faculty
From: "Sburlea, Stefan" <sburlea () CHAPMAN EDU>
Date: Wed, 13 Apr 2016 20:26:38 +0000
Great input, thank you Paul. We were a little concerned about negative feedback that could affect the program. It seems that as long as the effort is well coordinated and announced , this should not be a concern. Best Regards, Stefan Sburlea Chapman University, IS&T Information Security Specialist sburlea () chapman edu Desk Phone: 714-744-7802 Chapman University I One University Drive I Orange, California 92866 UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS! From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Chauvet Sent: Wednesday, April 13, 2016 1:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Hi Stefan, We've been doing phishing simulations of one form or another for 3-4 years now. They have been extremely effective and very well received. It has been extremely rare that we have had negative reactions to it. Those reactions have been primarily: * Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or IT, or Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm so busy" or "You got me because I didn't have my coffee yet" * Acknowledgement of the fact that they were tricked to "Oh no - you got me!" * Some users will see the notice saying it was a simulation then will think it is a real phishing/malware attack and call our Help Desk in a panic. We have had a small handful of people (5 or 6 out of 1300+) who reacted very negatively. Even these people (with one exception) were mollified by a detailed explanation of the psychology and pedagogical justifications of these methods. There was only one person who thought we were actually the criminals trying to gain her credentials. She complained to our Provost who fully supported us and we never heard of that issue again. We've had a number of faculty and staff who have taken these as a challenge - an attitude I have no problem with. They appreciate the more difficult ones and are glad when they don't fall for it (and those that speak to us are pretty receptive of the awareness even falling for a simulation brings). P.S. We do try to add positive reinforcement by sending thanks to those who are continually reporting real or simulated threats (and to their supervisors). Paul Chauvet Information Security Officer State University of New York at New Paltz 845-257-3828 chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu> [emlogo] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sburlea, Stefan Sent: Tuesday, April 12, 2016 7:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Phishing and Security Awareness Training - Faculty Hello, We are looking at starting a phishing/security awareness training. We are considering something like Wombat Security or GoPhish. Did you do something similar at your university and if yes, did you receive any negative feedback from your staff and faculty? What solution/vendor did you use? Searching through Educause archives, I found this great 10 point implementation checklist/guide : http://er.educause.edu/blogs/2016/4/phishing-your-users Any insight is greately appreciated. Thank you, Stefan Sburlea Chapman University, IS&T Information Security Specialist sburlea () chapman edu<mailto:sburlea () chapman edu> Desk Phone: 714-744-7802 Chapman University I One University Drive I Orange, California 92866 UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!
Current thread:
- Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Paul Chauvet (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Manjak, Martin (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Paul Chauvet (Apr 13)
- <Possible follow-ups>
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)