Re: Initial Phishing Simulation - Do you tell them first?

[Dennis Bolton <bolton () OAKLAND EDU>]

Hi Dave,

We are early in our Phishing roll out and have so far limited campaigns to
our Central and Distributed Technology staff.  We gave them a heads-up that
Central IT was going to start a phishing awareness education campaign in
the near future but didn't give them specifics.  We waited about a week and
then sent the first round of emails.   I think the prior notice made our
staff more receptive and open to discussion, and I don't believe it had a
significant impact on the results.

Dennis Bolton
Information Security Officer
Oakland University
Dodge Hall Rm 220
118 Library Drive
Rochester, MI 48309-4401
248-370-4803

On Thu, Jun 13, 2019 at 7:50 AM Scott Stoops <sstoops () ashland edu> wrote:

> We chose to not notify our faculty/staff/students when we did a phishing
> campaign for the reason that we did not want folks to know. We felt that
> knowledge would skew the results. However, we had support from leadership
> to do this. On the day of the campaign only a few people at the university
> knew the campaign was taking place. We also intentionally did not do the
> communications we would do normally. Once a statement was made to the
> community it came from the president and not from IT.
>
> There were employees who were not happy with how we handled this. Going
> forward we would communicate more about the overall goals of awareness
> training and evaluation. I would still take the view that we would not tell
> people when the phishing test is being done. My hope is that they would not
> fall for the attempt because the awareness training is effective rather
> than that they were aware that a test was being performed. If we present
> the overall campaign as a training tool then we should be able to reduce
> anxiety about being "caught".
>
> --------------------------------------------------------------------------------------------------
> Scott Stoops, CISSP
> Security Analyst Engineer III
> Office of Information Technology | 100 Patterson Technology Center
> Ashland, OH 44805
> (w) 419-289-5405
> sstoops () ashland edu
>
>
> On Wed, Jun 12, 2019 at 9:51 PM David Eilken <
> david.eilken () domail maricopa edu> wrote:
>
> > All,
> >
> > I have seen some threads on phishing in the past, but have a very
> > specific question. When you started your phishing campaign/ program, did
> > you notify your staff / faculty that the stimulations were coming (and not
> > to worry about getting in trouble for failing)?
> >
> > I know KnowBe4 suggests not informing the population prior to doing a
> > baseline. I've heard some pretty bad horror stories about the faculty not
> > being too happy about getting a test phishing email sprung on them out of
> > the blue. I personally don't see a huge upside to not letting them know
> > what the broader campaign is about and how it supports the infosec program.
> > I would be surprised if it would scewd the results much. We already send
> > out notifications when a real campaign is active.
> >
> > Appreciate your input. Hope your enjoying the summer.
> >
> >
> > Best,
> > Dave
> >
> > --
> > [image: Maricopa Community College District Office logo]
> > DAVID EILKEN
> > MARICOPA COMMUNITY COLLEGES
> > Information Security Officer | ITS
> > 2411 West 14th Street, Tempe, AZ 85281
> > david.eilken () domail maricopa edu
> > https://www.maricopa.edu/
> > O: 480-784-0637
> > LinkedIn  <https://linkedin.com/school/maricopa-community-colleges>|
> > Twitter  <https://twitter.com/mcccd>| Facebook
> > <https://www.facebook.com/maricopa.edu>

-- 
Dennis Bolton
Information Security Officer
Oakland University
Dodge Hall Rm 220
118 Library Drive
Rochester, MI 48309-4401
248-370-4803