Re: Phishing and Security Awareness Training - Faculty

["Sburlea, Stefan" <sburlea () CHAPMAN EDU>]

Great input, thank you Paul. We were a little concerned about negative feedback that could affect the program.
It seems that as long as the effort is well coordinated and announced , this should not be a concern.



Best Regards,

Stefan Sburlea

Chapman University, IS&T
Information Security Specialist
sburlea () chapman edu
Desk Phone: 714-744-7802
Chapman University I One University Drive I Orange, California 92866
UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul 
Chauvet
Sent: Wednesday, April 13, 2016 1:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty

Hi Stefan,

We've been doing phishing simulations of one form or another for 3-4 years now.  They have been extremely effective and 
very well received.  It has been extremely rare that we have had negative reactions to it.

Those reactions have been primarily:

*         Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or 
IT, or Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm 
so busy" or "You got me because I didn't have my coffee yet"

*         Acknowledgement of the fact that they were tricked to "Oh no - you got me!"

*         Some users will see the notice saying it was a simulation then will think it is a real phishing/malware 
attack and call our Help Desk in a panic.

We have had a small handful of people (5 or 6 out of 1300+) who reacted very negatively.  Even these people (with one 
exception) were mollified by a detailed explanation of the psychology and pedagogical justifications of these methods.  
There was only one person who thought we were actually the criminals trying to gain her credentials.  She complained to 
our Provost who fully supported us and we never heard of that issue again.

We've had a number of faculty and staff who have taken these as a challenge - an attitude I have no problem with.  They 
appreciate the more difficult ones and are glad when they don't fall for it (and those that speak to us are pretty 
receptive of the awareness even falling for a simulation brings).

P.S.  We do try to add positive reinforcement by sending thanks to those who are continually reporting real or 
simulated threats (and to their supervisors).


Paul Chauvet
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>
[emlogo]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sburlea, 
Stefan
Sent: Tuesday, April 12, 2016 7:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Phishing and Security Awareness Training - Faculty

Hello,

We are looking at starting a phishing/security awareness training.
We are considering something like Wombat Security or GoPhish.

Did you do something similar at your university and if yes, did you receive any negative feedback from your staff and 
faculty?
What solution/vendor did you use?

Searching through Educause archives, I found this great 10 point implementation checklist/guide : 
http://er.educause.edu/blogs/2016/4/phishing-your-users

Any insight is greately appreciated.


Thank you,

Stefan Sburlea

Chapman University, IS&T
Information Security Specialist
sburlea () chapman edu<mailto:sburlea () chapman edu>
Desk Phone: 714-744-7802
Chapman University I One University Drive I Orange, California 92866
UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!