Keeping Phishing Tests Ethical

Running phishing tests, also commonly referred to as phishing simulations, helps you to identify and track weaknesses and points of improvement in your security awareness program. Phishing tests can also help identify the types of phishing attacks that are most successful against your organization.

However, if handled incorrectly, it is easy for people to feel hard done by phishing tests. They may sometimes appear to be “unethical” or “unfair”, and it might leave your colleagues with a bitter taste in their mouths. There have been several high-profile cases of phishing simulations where things weren’t executed particularly well.

The Ends Don’t Justify The Means

A short-sighted argument that sometimes gets thrown around is that real attackers don’t care about people’s feelings, so if phishing tests are to be realistic, anything is fair game. While there is ample evidence of attackers adopting the Machiavellian “end justifies the means” approach (we have seen everything from hospitals to schools to police and emergency services becoming phishing and ransomware targets), this does not mean that we need to adopt the same approaches to simulate “realistic” attacks.

Aldous Huxley is famously quoted for saying that “the means employed determine the nature of the ends produced”. In the case of running phishing tests, using pretexts such as – “a colleague has tested positive for COVID-19, please follow this link for further instructions” – is almost guaranteed to get clicks simply because it’s a topical concern and a source of distress; but once it becomes apparent that the message was a phishing simulation, it’s also almost guaranteed to instill a sense of bitterness and betrayal because the message might be seen to be in bad taste.

Of course, a real attacker would totally send an email like that, but even though you’re simulating an adversary when running a phishing test, you need to keep in mind that you’re not the adversary. Your goal is to constructively educate end-users and incident responders about the dangers of phishing in a safe space where there is room to learn from lapses in judgment.

Similar to how we don’t run fire drills to “catch” and shame people who don’t follow fire safety protocols; if you’re setting out to assign blame to users for clicking carefully curated links that you’ve designed expressly to target them, you should probably re-examine your approach.

In general, there seems to be a consensus that while phishing tests are necessary, they don't need to be “evil” to be effective. Dangling perks, bonuses, or taking advantage of an anxiety-inducing situation (such as a deadly global pandemic) has the potential to undermine trust between a company and its employees, which ends up working against your security awareness goals.

Don’t Embarrass Anyone

Similar to not being mean, embarrassing people does not land you in their good books. Therefore, you’re more likely to burn bridges with the same people with whom you are trying to foster a collaborative relationship.

While this may seem obvious, it is still dumbfounding to see some cybersecurity professionals propagate a culture of embarrassing people who make mistakes – of course, it’s easier to pin an attack on “human error” than it is to identify and work towards fixing or preventing the root cause.

Rather than being punitive and shaming employees, security teams need to aim to create and nurture a culture where information sharing and collaboration are the order of the day. When security teams break down barriers for employees to reach out for help – especially by not making people feel like “an idiot” because they fell for a phishing attack - employees are not only more likely to report what they see, but security teams are more likely to get a more real-world understanding of how well their security awareness efforts are doing.

Carrots, Not Sticks

In general, carrots tend to be more effective than sticks in a professional setting. Phishing tests should be viewed as opportunities to recognize who is doing a good job as opposed to calling individuals out.

Instead of embarrassing employees who fall for a phishing test, rewarding employees who correctly reported phishing tests (as well as real phishing emails, of course) to the IT security team will not only earn you buy-in but actually achieves your goals – increased vigilance that fends off security breaches and a strong and healthy security culture where people aren’t afraid to speak up if they messed up.

Provide Constructive Feedback

It's important to provide feedback to help employees perceive cybersecurity as an agent of protection as opposed to a tedious set of rules that get in the way of completing a job. Cybersecurity teams should work with underperforming teams to help them succeed in future rounds of phishing simulation exercises. Cybersecurity teams should then measure the change in outcome at the team level, and reward progress. Some of the most successful security awareness programs even incorporate security performance, particularly improvements, as part of every team’s annual evaluations.

We tend to hear about phishing tests when something goes wrong, or when companies employ dubious practices. Most companies carry out phishing simulation tests properly by treating them as opportunities to identify problems, educate end-users, and helping employees understand how phishing attacks impact information security within an organization. When done correctly, phishing tests play an important part in a company’s cybersecurity program, but for success to be maximized, companies need to empower employees rather than hang them out to dry.