Analysing Simulated Phishing Campaigns for Staff

In an attempt to stop phishing attacks, an increasing number of organisations run Simulated Phishing Campaigns to train their staff not to click on suspicious links. Organisations can buy toolkits to craft and run their own campaigns, or hire a specialist company to provide such campaigns as a service. To what extent this activity reduces the vulnerability of an organisation to such attacks is debated in both the research and practitioner communities, but an increasing number of organisations do it because it seems common practice, and are convinced by vendors’ claims about the reduction in clickrates that can be achieved. But most are not aware that effective security is not just about reducing clickrates for simulated phishing messages, that there are many different ways of running such campaigns, and that there are security, legal, and trust issues associated with those choices. The goal of this paper is to equip organisational decision makers with tools for making those decisions. A closer examination of costs and benefits of the choice reveals that it may be possible to run a legally compliant campaign, but that it is costly and time-consuming. Additionally, the impact of Simulated Phishing Campaigns on employees’ self-efficacy and trust in the organisation may negatively affect other organisational goals. We conclude that for many organisations, a joined-up approach of (1) improving technical security measures, (2) introducing and establishing adequate security incident reporting, and (3) increasing staff awareness through other means may deliver better protection at lower cost.