Habitu8 Webinar Outline: 5 Steps to Phishing Training Program Success



This webinar aired on July 31, 2018 (watch/listen here). Jason’s notes are as follows:

Download Webinar Notes

User Journey assumed: Awareness admin/CISO wants to start phishing users. STEPS TO SUCCESSFUL PROGRAMS:

1. Learn how the simulation processes work 

    1. Pre-Implementation: All the work you do to get ready for the program
      1. Research
      2. Develop a plan
      3. Identify stakeholders
      4. Highlight technical needs & requirements
      5. Communicate
    2. Production: All the work you do while you’re managing the program
      1. Emails (and additional reporting data) are provided to the application, whether hosted vendor or open-source
      2. Email theme is chosen (click only, data entry, etc.) & “email” is customized/designed etc.
      3. Email education page is selected (what do you want to display to responders)
      4. Schedule & launch
      5. Report
    3. Annual Review: All the work you do to improve the program each year

2. Understand your environment and how it may present potential hiccups

3. Build a team and formalize a plan

4. Communicate, communicate, and then communicate some more

5. Reporting 101: know what you want to track and what story you want to tell


  1. Learn how the phishing training processes work, and how the user learning patterns emerge (for instance most learning happens between 3/4 campaigns)
  2. How many filters does an external email go through before it hits inboxes?
  3. Build your stakeholder team & thoroughly communicate the program with full transparency
  4. Ensure you have the required processes in place (reporting option, access to data, thorough whitelisting, IR plan, Helpdesk guidance)
  5. Understand how repeat responders develop, don’t identify them too early

1. Phishing Training Overview

2. Goals of a phishing training program 

    1. General awareness on risk (having the discussion)
    2. Highlight proper response (behavior)
    3. Reduce IR response time

3. Mistaken Assumptions & Intentions

    1. Instant & accurate status of company risk (it will take several baseline campaigns to really understand what is going on within your environment)
    2. Focusing on just click rate (or getting click rate below 5%)
    3. Everything is working flawlessly
    4. People read what you put on education pages
    5. Phishing training equals security awareness training. WRONG. It is a core discipline within a robust awareness program.
    6. Industry patterns towards email security function taking over phishing training

4. Where to start?

    1. Program plan & mission statement
      1. What the program is
      2. Why you are doing it
      3. Who is included in the training
      4. Goals of the program:
        1. Our goal is to obtain average phishing report rate over 50% per campaign
        2. Our goal is to reduce average annual click rate to below 15%
        3. Our goal is to highlight the new reporting process
        4. Our goal is to increase co-worker awareness of phishing attacks
    2. Create stakeholder team
      1. InfoSec, IT (mail, support), GRC, Legal, HR, Corp Comm, Executive team

5. Vendors vs. open-source

    1. You have viable options depending upon resources & budget

6. Impact to program & resources

    1. Managing as a single resource
      1. Plan on 2-3 weeks per campaign for setting up, monitoring, reporting
    2. Managing with a team
      1. With a 2-3 person team, a campaign can be completed in a week with processes in place

7. Processes required to launch or improve your program

  1. Clear Reporting Method
    1. Button
    2. Email
    3. Helpdesk/IT Support
  2. Access to data & ability to export into required format
    1. Some vendor require data to be in specific format, doing work ahead of time to have automatic reports provided in specific format will save literally days of your time each year
  3. Metrics for reporting
    1. I used to do this manually using rules and filters in Outlook
    2. Using a button? Is it reporting properly & accurately?
    3. Click rate comes from dashboard
    4. Number of reports may need to come from Exchange/Mail filters
  4. Whitelisting
    1. Email servers
    2. Filters
      1. Know your chain of delivery
        1. Filter-filter-filter-gateway-internal filter-user inbox
    3. Domains (web access) 
  5. Incident response plan
    1. Who responds when real reports are coming in? Next steps?
  6. Helpdesk/IT Support guidance
    1. Need to update a knowledge db for your support staff?
    2. Provide very specific guidance and instructions

8. Processes required for campaigns

  1. Security stakeholder notifications (24-48 hours prior to campaign)
    1. IT Support gets full details & proper guidance for reporting
    2. Senior leaders get reminded of proper guidance for reporting
    3. Never confirm it is a training/campaign - always confirm they’ve identified a phishing email, acknowledging they did the right thing by reporting & provide kudos
  2. Confirmation from Corp Comms no other company announcements during window

9. Program Terminology

  1. Reporting
  2. Responding
  3. Repeat responder vs. “offender"
  4. Incident definition

10. What to focus on?

  1. Processes
    1. Reporting
    2. Report response
  2. Education
    1. Short, direct
      1. Read in 10 seconds
    2. Behavior focused
      1. What should they do? REPORT

11. What to know about phishing training learning patterns

  1. User learning won’t show until 3-4th campaign
  2. Let the process do its job
  3. Don’t assign blind training

12. What dictates repeat responders?

  1. Over 6-9 months, 3 responses
    1. After 4th’s campaign
    2. Will result in less than 1% of population
  2. Repeat Responder Program
  3. Problems with early identification
    1. More work for you
    2. More users than necessary
    3. Turnover

13. Communications

  1. Definitely provide full transparency on what the program is, what users should expect, what stakeholders should know, and how security stakeholders should respond.
  2. The success and adoption of the program will be crucial to how comfortable your users feel about it. If they think you’re tricking them or they’re getting in trouble, you will have a long road ahead.
  3. Clarify it is a training, not a test.

14. Metrics

  1. Good data in, good data out
    1. Departmental
    2. Business Unit
    3. Privileged Users
    4. Employee Type
    5. New employee vs. seasoned
    6. Executive level
    7. Reporting Manager
  2. Protect this data
    1. Don’t provide “who clicked"
    2. Own your data.

15. Implementation Tips

  1. Don’t use logos or anything you don’t own trademark/copyright
  2. Click rates should constantly fluctuate, you’ll never have a negative trending pattern
  3. Simple can and will be effective
  4. Don’t start out high and mighty, go from simple to medium to hard
  5. Baseline - Focus on getting in 6-8 campaigns in year one

View Free Demo Videos