This is horrible, this idea: "Phishing your own users"
I see Michael Farnum has responded to Terry Sweeney's blog post on Phishing your own users. I would just like to remind everyone that while intentions may be good, to remember the times people have tried this tactic with viruses. How many times did we hear about someone writing a virus that removes viruses or one that enables a security feature? Or how about testing the effectiveness of an anti-virus solution by distributing to users a file (containing a virus) that says "DO_NOT_OPEN_ME" ? Edit: see How not stop a virus attack.
I feel there are much better ways to measure the effectiveness of your security awareness training. In my opinion, this method of testing users by fake phishing will only confuse them. A couple suggestions for measuring effectiveness:
- Question and answer testing
- Spot the fake
- A "What would you do?"
Simply coming up with a test would be a much better and less riskier way to measure results than seeing who clicks on your phishing scam and who doesn't. To sum it up, I edited a quote from one of the best movies ever made: Office Space.
Tom: What do you say we set up fake sites that entice our users to enter their personal information to measure the effectiveness of our security awareness training program? Michael: That's the worst idea I've ever heard in my life, Tom. Samir: Yes, this is horrible, this idea.blog comments powered by Disqus