The recent Official Annual Cybercrime Report from Cybersecurity Ventures predicted that the cost of cybercrime globally will reach $6 trillion by 2021, which is double the cost from 2015. This obviously encompasses a wide range of possible forms of attack, but phishing remains enduringly popular among cybercriminals.
New research from the National Institute of Standards and Technology (NIST) highlights the creation of a new tool, called the Phish Scale, that NIST believes will help organizations to train their employees so that they can avoid phishing attacks.
The researchers believe that too many employees are unaware of the risk phishing attacks pose, and are therefore often unaware of the steps they can take to protect themselves from becoming victim to them. Phishing emails have become especially prevalent during COVID-19 as attackers have taken advantage of the uncertainty surrounding the virus to mimic government agencies or health service providers in order to trick people into clicking links and submitting details that can be used to compromise them.
Evaluating the risk
The tool aims to allow organizations to accurately gauge the risk posed by phishing and to then address any vulnerabilities exposed. These vulnerabilities are often addressed by training programs that present employees with emails designed to replicate the style and tone of actual phishing emails so that they become better attuned to their characteristics, and therefore detect when they might be being attacked.
The click-through rates on these training programs are then assessed by the cybersecurity staff within the organization, to determine both the risks across the organization and whether the training sessions are working or not.
Generally speaking, high click-through rates are usually seen as bad, with low click-through rates more positively viewed.
These numbers on their own often tell an incomplete story, however, and the Phish Scale aims to provide a more detailed and nuanced insight into whether any particular form of phishing email might prove successful. It offers cybersecurity staff insight into why click rates were as they were by utilizing a rating system that is based on the content of the phishing email. This provides a number of clues that might tip off the initiated user that the email is not what it seems. These clues are modified depending on whether the target is from a hospital, a university, a business, or a government agency.
The tool uses five distinct elements. Each element is rated on a 5-point scale that is customized for each distinct scenario. These then form an overall score that is used by the trainers to rate the phishing exercise according to its difficulty level.
The key to the tool is the explanation given behind the click-through rates. The researchers highlight that there can be numerous reasons for people clicking on a phishing email. For instance, the training emails might be too easy or could be too similar to emails used in previous training exercises. This can lead trainers to believe that staff are well guarded against phishing attacks when the reality is altogether different.
As well as giving data to trainers, the tool also elicits feedback from users regarding why they clicked on certain emails.
The researchers believe this gives trainers and cybersecurity staff a much better understanding of the true state of awareness among the workforce, especially if the training is targeted towards a specific audience.
The Phish Scale has been developed after several years of research, with data from operational settings used to inform the tool. The researchers believe this makes it more robust, as previous attempts have relied on more lab-based expertise, which may not reflect the reality of real-life as people inherently act differently in lab conditions than in real life.
The researchers hope to further refine the model with more data, as to date all of the data for the system has come directly from NIST themselves. As more organizations use the tool, however, they hope to be able to feed that into the model to help it perform even better. This expansion of the dataset will be especially useful as more nongovernmental organizations utilize it and will help make the tool effective in a wider range of operational settings.
This ongoing evolution of the data behind the tool will be important to ensure that it remains effective as the phishing threat landscape changes.
Ultimately, the researchers hope that the tool will better equip organizations and employees to better deter any phishing attacks they are exposed to, and the research paper provides detailed steps to help organizations implement the DIY tool within their business.
With phishing being an enduringly popular and effective form of cyberattack, such an evolution in our defenses should be very useful, as humans are often the weakest link in that defense. By understanding what makes us click on phishing emails, it’s a link that should be bolstered.