Behind the scenes @ Awareways Data ‘N Analytics
31 August 2022
Operation ROD: analyzing our phishing e-mail campaigns
‘Operation ROD’ is the working title of an overarching analysis of our various phishing simulations done by our Data ‘N’ Analytics (DNA) Team. DNA processes and analyzes data based on our awareness campaigns, simulations and the Awareways culture scan to produce clear reports that raise awareness of information security.
What can we learn from the data collected throughout our phishing campaigns – about this form of fraud and about our approach to making employees aware of the risks?
Awareways phishing simulations
In the execution phase of our phishing simulation, all targets in the user list are contacted via email. The emails are created using previously created templates.
Templates are models of phishing messages that are customized per client, for example with regard to corporate identity, the internal communication style and the choice of relevant topics. Those topics include password changes, malware attacks, LinkedIn and other social media, and requests from managers or colleagues to click on links, download files and/or otherwise engage with the message.
Operation ROD is an analysis into phishing, or ‘angling’ for information. The goal is to benchmark what actually happens on phishing among our clients when we compare campaigns side by side.
For example, you can compare the results when a phishing simulation is a) a standalone intervention or b) an intervention as part of a larger campaign. The use of a phishing simulation can be part of an overall awareness campaign, but it can also be an intervention on its own, where the client in question – at least at that moment in time – does not have another awareness campaign running.
A simulation typically has 5 rounds, each with 5 templates. The first round serves as a baseline: how difficult (or easy) is the chosen template for the organization in question? This is measured by the number of clicks.
Analyzing the results
Over time you can start to compare the results. For each round, but also for each organization. In such a way that, based on the data, you can start to predict how an organization will perform, depending on variables like template, time of reception, order of subjects, cultural differences (for example between European and American companies), public versus private sector (personal data of citizens versus that of customers) or type of employee.
In other words, properties are introduced to which you can link KPIs; ‘when is this campaign successful? What click ratio do we want to achieve?’ You can also distinguish variables. ‘If they use your first and last name, you are much more likely to click than with a more generic salutation.”
Of course, anonymity of all this data is very important. Organizations want to know where they stand, as a benchmark, but of course we cannot speak to being ‘better than organization X or government agency Y’. What we do have is a clear indication of how ‘good’ the score is – in a general context. And what you still ‘have to do’, based on the desired risk profile, the goals of the organization in terms of security and privacy, or the importance of phishing awareness in the larger picture (IT may already be intercepting a lot of email threats, for example).
In any case, what is very valuable is the fact that it is clear to see – time and time again – that as you let people have the same experiences, they start to recognize it. Regardless of topic: as time goes on, the number of clicks decreases.
These effects of learning behavior are readily apparent through Operation ROD. First of all, it shows that the phishing simulation in itself is very valuable: the number of clicks, and thus the risk of a data breach within an organization, consistently decreases.
Should you want to zoom deeper into the data, and start assigning characteristics at the employee level, you can of course also start analyzing more deeply. Is a relatively new colleague just as susceptible as a senior who has been on board for 15 years? Also, with more socio-demographic information about that employee, you can even better identify risk groups.
In other words, the more data you have, the more valuable conclusions you can draw towards a risk profile. But then you enter the realm of big data, and that is explicitly not what we are concerned with. We’d much rather look for insights that are valuable for the design of further communication campaigns and training courses. So that we can better prepare your employees for those inevitable e-mail threats!