Targeted Phishing Emails to Train IT Security Awareness
It used to be thought that IT security could be solved purely with technical solutions, but now it seems that the human element has become much more important. dotmagazine spoke to David Kelm, CEO of IT-Seal, to find out how they use machine learning as a means to train staff in secure online behavior.
dotmagazine: Can you tell us about how you use Machine Learning to increase security awareness?
DAVID KELM: My company is IT-Seal and we simulate social engineering and phishing attacks. We simulate phishing emails with various levels of sophistication, as a real attacker. We crawl data from social media and use this data to generate individualized spear phishing attacks.
Related Stories
Every employee gets a different targeted email and we use that to measure how secure a company actually is. We train the employees by sending two to three emails per month per employee, to their real inbox. Once they click on one of our phishing emails, they get an explanation which shows the email one more time, with some advice on how they could have spotted that this one was a fake email.
dot: So what makes simulated phishing emails an effective mechanism for assessing security awareness?
KELM: It’s quite complex to measure the security awareness of employees. There is one method that has been developed in the last few years and has proven to be quite successful, and that is by simulating phishing emails.
Because it is easy, it is low effort, and it is quite scalable. You can do it for a big company and in multiple languages. But there are some pitfalls too, because, if you just send out one email, it can be really targeted and really good, so 60 or even 80 percent of people click on it. And other times, it can be really easy to spot that another email is a phishing email, and only 2 percent of people click. So the results of sending just one email are not really meaningful. The thing is, if you really want to measure the security awareness of the company, in my opinion, you should simulate multiple phishing emails with various levels of sophistication.
dot: What do companies need to keep in mind before implementing such a scheme?
KELM: Companies should reflect on whether their results are meaningful, as I just said, and, of course, there are also privacy issues to consider. You need to anonymize the data so that you’re not surveilling your employees.
Security awareness is, on the one hand, knowledge, and on the other hand, behavior. And a change of knowledge is kind of possible with education, but changing your behavior in daily life, the activities that you are used to doing – how you really act with emails or on the phone – it’s really hard to change that. So what I recommend is to try to really change behavior by giving regular practice, regular training as part of everyday activities and daily work routines so that people can change their behavior over time.
dot: What insights have you gained through your analysis of staff security awareness?
KELM: You will always find somebody who clicks. Even with the dumbest email – somebody will click on it. But many people will click on the emails that have a really high level of sophistication – we have clicking rates for our best emails of around 60-70 percent. This is the average number we get, and some companies score even higher.
David Kelm has been working intensively on social engineering and employee awareness since 2012. His research at the TU Darmstadt focused on how to measure the security level of a company in a standardized way. After various awards and grants, the research results in 2016 led to the founding of the StartUp IT-Seal, which today not only specializes in measuring security awareness but also in the effective training of employees. Since then, IT-Seal has supported companies from various industries such as mechanical engineering, banks, and hospitals in sustainably securing their employees.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.