Phishing Training Strategies: Useful or Wasteful?

In the security community, it is commonly known that, no matter how well-built your network, humans will always be a weak link. In particular, the classic phishing email attack is still widely used by attackers trying to gain access to an organization’s computing resources. Although phishing may seem simplistic, it can be extremely effective. In a phishing quiz taken by over 19,000 Americans in the last year (2015), Intel found that over 80% fell for at least one phishing email[1]. In its 2013 Data Breach Investigation Report, Verizon found that with just 12 emails, attackers statistically have an almost 100% chance of getting someone to click[2]. Because of this, many security teams pour a huge amount of time and effort into stopping phishing before it reaches the user, but they cannot catch everything. It has become common to give users some level of cybersecurity training to help them recognize and respond appropriately to phishes on their own. However, in any given group, the technical knowledge of its members will vary widely. There are some people who fall for phishes time and time again despite having the same training as everyone else. Unfortunately for companies, these people tend to be management or administrative personnel who are highly connected within the email graph. With that in mind, the goal of this project was to model the spread of a simple phishing attack and examine the pros and cons of extra targeted cybersecurity training within an organization.