Article | November 12, 2021

NIST And No-notice: Finding The Goldilocks Zone For Phishing Simulation Difficulty

Source: Webroot
Phishing

Earlier this year, the National Institute for Standards and Technology (NIST) published updated recommendations for phishing simulations in security awareness training programs. We discussed it on our Community page soon after the updated standards were released, but the substance of the change bears repeating.

“Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.” – NIST SP 800-53, Rev. 5, Section 5.3 (pg. 60)

This update includes a recommendation for “no-notice” phishing simulations to be delivered at the beginning of security awareness training programs to more accurately gauge the readiness of a set of users to recognize a phishing attempt.

The thinking obviously being that letting users in on the phishing simulation game will heighten suspicion of their inbox and skew baseline results. This concern can be thought as a spin-off of the well-studied “Observer Effect” known in many scientific fields; observing the behavior of something necessarily changes that behavior.

VIEW THE ARTICLE!
Signing up provides unlimited access to:
Signing up provides unlimited access to:
  • Trend and Leadership Articles
  • Case Studies
  • Extensive Product Database
  • Premium Content
HELLO. PLEASE LOG IN. X

Not yet a member of MSPinsights? Register today.

ACCOUNT SIGN UP X
Please fill in your account details
Login Information
ACCOUNT SIGN UP

Subscriptions

Sign up for the newsletter that brings you the industry's latest news, technologies, trends and products.