Security Behavior Change

Clicks Vs. Compromise: Measuring Phishing Test Failures

Masha Sedova

Published on 30 July 2019

Security Behavior Change

When speaking with security teams who run mock phishing tests to train employees on susceptibility of attacks, I often get into a discussion around what it means for an employee to “fail” a phishing test. The majority of programs, I have come to discover, punish their employees if they click on a phishing test email. At Elevate, we fundamentally disagree with this approach. Here’s why.

The majority of programs, I have come to discover, punish their employees if they click on a phishing test email. At Elevate, we fundamentally disagree with this approach.

First up, some definitions. In phishing, a click is when someone clicks on a link in a phishing email and it takes them to a landing page owned by the attacker.   Or the link in the email could download malicious software that is an executable.

A compromise is when an end-user submits sensitive information such as a password, OATH token, or credit card information on a website owned by a malicious attacker. Alternatively, the act of clicking on a link to download a file is considered a “click” while the act of running that executable on your machine is considered “compromised.”

Why clicking on a link isn’t bad

The act of clicking on a link is not inherently bad. Even if an employee were to visit a website owned by an attacker, it would be very hard to compromise the employee at that stage. In order to compromise an account just from a link in an email, one of these paths would have to exist.

  1. Exploit a vulnerability in the browser. This ability is limited to highly skilled and resourced attackers often associated with nation states. The exploits used are usual 0-days and are very rare and expensive to obtain.
  2. Exploit a vulnerability in installed extensions (such as Flash or Java Applets). These vulnerable applications are gradually being phased out of use.

Additionally, downloading a malicious executable isn’t enough to become infected. You actually have to run the file for it to take hold and cause damage.

So, clicking on a link shouldnt be a punishable offense enforced by security awareness teams. The main reason security awareness teams use this as the metric is because its easier for them to track misdeeds. Of course, the less people that click on links, the smaller chance you have of downstream security incidents. However, clicking on a link is a normal and regular part of doing business and being on the internet. We should not be punishing people and calling link-clicking a failure for security because it just isn’t. (Unless you are being attacked by Russia or China).

The main reason security awareness teams use clicks as the metric is because its easier for them to track misdeeds.

So what should we be measuring?

At Elevate we believe that failure of a behavior should correlate to a “compromised state” such as an employee submitting sensitive information in a form or executing malware on a machine. If you are going to enforce a punishment for “bad security behavior,” it should be for something that has security consequences.  Otherwise, you are training your employees to be distrustful of tools they actually need for their work. Instead of popping up a “you could have been PWNed” page, we should be educating folks and providing tools on how to triage emails and links more effectively.