The Phish Scale: Improve the Information Security Awareness
Phishing Attack
Phishing is the method of attack that is set up to appear as though it is from a reliable source and that seeks to seize the user’s private information and install malicious software on his machine. Although email is the attack’s primary means of contact, other methods include phone calls, instant messages, faxes, and other forms of technology. The statistics of people clicking on the link and running the malicious file inside are typically highlighted in the results of phishing testing. But this is not the only thing to be aware of, the difficulty levels of phishing can be different from each other and there can be serious statistical differences between them.
Phish Scale
The National Institute of Standards and Technology (NIST) published a study in 2020 called The Phish Scale that aids in assessing the complexity of phishing tests, analyzing the outcomes, and discovering the strengths and weaknesses of employees. Corporations can use it as a tool to better effectively train their staff members on information security.
Low click-through rates on a phishing scenario are not an absolute indication that staff members are aware of information security. Without statistical comparisons on the Phish scale, no conclusion can be drawn about this issue. We need to know two values, the clues and the compliance level, to perform these calculations. These values allow us to determine the degree of difficulty.
Clues
Anything that allows the user to recognize that the delivered e-mail is a phishing attack is what we refer to as an observable clue. Clues 1 through 8 are referred to as “few”, Clues 9 through 14 as “some”, and Clues 15 and above as “many” in the computation where each clue is worth 1 point. Observable clues include:
Relevant Content Level
Relevant Content Level is a further factor we must consider when determining the degree of difficulty. We don’t need to perform any calculations like we did in the clues part because this section is a little more subjective. We should look at the degree of compatibility, awareness and recognition of the employee with the phishing scenario.
⦁ Low: Email content is classified as low level if it relates to a topic that is irrelevant and unreasonable to the target audience.
⦁ Medium: Email content is classified as medium if it has a low relevance to a large segment of the target audience or a moderate relevance to a small segment of the target audience.
⦁ High: A scenario where the content of the email directly matches the job responsibilities of the target audience and is quite reasonable is classified as high level.
Phish Scale Calculation
With the clue numbers and the level of relevant content, we get the difficulty level as in this table. The method of the Phish Scale will be very beneficial while evaluating the statistics for trying to improve information security awareness.
References: Categorizing human phishing difficulty: a Phish Scale https://academic.oup.com/cybersecurity/article/6/1/tyaa009/5905453
Using NIST’s Phish Scale to Optimize Employee Training https://www.mimecast.com/blog/using-nists-phish-scale-to-optimize-employee-training/
A Phish Scale: Rating Human Phishing Message Detection Difficulty https://www.semanticscholar.org/paper/A-Phish-Scale%3A-Rating-Human-Phishing-Message-Steves-Greene/cf4dffa876673490ddaece07f7abf084acba453
