Made with ♥ in Security Valley Darmstadt
Why are we doing this?
Individual phishing simulations can quickly lead you astray: click rates can vary greatly from e-mail to e-mail - this is especially true when internal information is used. Depending on the subject, writing style, specific sending time, design or sender, employees either click quickly or not at all. It is easy to create a phishing e-mail that 80 percent of employees click on or one that only 2 percent got tricked form it. However, this does not yet allow a statement to be made about how good the employees really are, but only about how well the phishing e-mail fitted the bill. In order to be able to make a statement about how good the security behavior of the employees really is, it is therefore necessary to carry out a large number of different attack simulations. This is the only way to filter out individual "lucky hits". The results of these many different attacks are stored accordingly in the ESI® illustrated in the colours of the traffic light.
The ESI® makes security awareness training measurable based on scientific data.
To make security awareness measurable, a realistic simulation of attacks is indispensable. Individual attacks should also be comparable with each other - only then can a measurement over a longer period of time provide information about the development of security awareness.
In order to make social engineering attacks comparable, we classify them into different categories. The decisive factor here is the preparation time that a criminal must invest in the preparation and execution of an attack scenario.
This consists, for example, of the procurement of information (OSINT), technical preparation, copying of designs (clone phishing), and the provision of the infrastructure. Thus, five categories can be divided, each of which corresponds to a preparation time of approx. 1, 3, 10, 20 and 40 hours.
An analysis of more than 75,000 simulated e-mails provides a revealing insight into the security behavior of individual departments, as shown in the figure on the left across the company.
All test groups show critical phishing awareness, with an average Employee Security Index of 46.2. While the HR, IT and finance departments perform above average across the company, the managers, assistants and the C-level stand out at the lower end.