January 13

Ethical considerations in phishing tests: to inform employees or not?

0  comments

TL;DR

This article delves into the ethical considerations in phishing tests, highlighting the balance needed between conducting realistic simulations and maintaining fairness in cybersecurity training.
This article explores the complexities of conducting phishing simulations in the workplace. Key takeaways include the importance of transparency in fostering a positive security culture, building trust through clear communication, and tailoring cybersecurity training to different departments based on the Adult Learning Theory. Ethical considerations are crucial, especially regarding the fairness of unannounced simulations. We discussed the need for balancing realistic testing conditions with ethical and morale implications, and the importance of integrating phishing simulations into a broader cybersecurity strategy.


In cybersecurity, phishing simulations are a common tool for trying to enhance employees’ vigilance against fraudulent emails.
A key decision is whether to inform employees about such simulations in advance or not. Either way it might impact the security culture, trust in the security team and the sustainability of these campaigns.

Phish-what?

Phishing is a type of cyber attack where malicious actors use deceptive emails, messages, or websites to trick individuals into revealing sensitive information, such as login credentials, financial details, or personal data. These communications often mimic legitimate sources, like well-known companies or trusted contacts, to lure victims into responding or clicking on harmful links.

Phishing attacks are defined therefore as "a scalable act of deception whereby impersonation is used to obtain information from a target." [5] and not limited to a specific medium:

[…] although until a couple of years ago phishing was an attack almost entirely launched by email, today it is also spreading to social channels and by instant messaging on apps like WhatsApp and Telegram.[4]

Phishing simulations, on the other hand, are controlled exercises conducted by organizations to assess and improve their employees’ ability to identify and respond to phishing attempts. In these simulations, most of the time the organization sends out benign emails that mimic the tactics of real phishing attacks, without the intent of causing harm. The purpose is to test employees’ awareness and vigilance against such threats, providing a practical, hands-on experience in recognizing and handling potential phishing attempts. The results of these simulations are used to identify areas where additional training or resources are needed, with the goal to strengthen the organization’s overall cybersecurity posture.

In addressing the implementation of phishing simulations, we must confront the ethical considerations in phishing tests, especially when weighing the pros and cons of informing employees beforehand.

Transparency: Bolstering Security Culture

A critical aspect of this discussion revolves around the ethical considerations in phishing tests, particularly in how these simulations can impact employees’ trust and the overall security culture.

Informing employees about upcoming phishing simulations can positively contribute to the overall security culture in an organisation. It demonstrates the company’s commitment to an open and honest approach to security matters. Employees aware of such tests can better prepare and learn to handle emails more cautiously.

This is supported by different theories:

"In 2009, Liang and Xue proposed the Technology Threat Avoidance Theory (TTAT). The theory states that a person’s perceived threat susceptibility and perceived threat severity impact their overall perception of the threat. This means that a person’s awareness of their chances to fall victim to a threat and knowledge of the amount of damage the threat could cause to their devices/systems, impacts their ability to determine the true damage that can be caused by a threat. Likewise, a person’s perceived threat, along with safeguard effectiveness, cost, and ease of implementation impact their avoidance motivation." [1]

Also a culture of vigilance and collective commitment to security is fostered by making phishing tests aware, aligning with the Psychological Contract Theory, which posits that transparency and mutual respect between employer and employee lead to a more engaged and responsible workforce.

Examples for the Psychological Contract Theory

  1. Cybersecurity Training and Resources Provision
    Imagine a company implementing a comprehensive cybersecurity policy. As part of this initiative, the company provides extensive training, resources, and tools for employees to protect themselves and the company from cyber threats. This action forms an unspoken psychological contract: the company expects employees to utilize these resources and uphold cybersecurity protocols. In return, employees expect the company to continue investing in their safety and provide up-to-date tools and information. This mutual understanding and commitment enhance the overall security posture of the organization. If the company fails to provide adequate training or resources, it breaches this psychological contract, potentially leading to reduced employee vigilance and adherence to security protocols.

  2. Flexible Work Arrangements and Remote Access Security
    In a scenario where a company offers flexible work arrangements, including remote work options, there’s an unspoken psychological contract regarding the security of remote access. The employer provides the necessary tools and secure access methods, like VPNs and multi-factor authentication. Employees, in turn, are expected to adhere to security best practices when working remotely. This includes using secure networks, protecting devices from unauthorized access, and ensuring data confidentiality. If the employer does not provide secure remote access tools, it breaks the psychological contract, leading to possible security breaches. Conversely, if employees are negligent in following security guidelines, they violate the contract, risking the company’s cybersecurity.

  3. Incident Reporting and Whistleblower Protection
    In a company that encourages incident reporting and has a robust whistleblower protection policy, employees are expected to report any suspicious activities or security breaches they observe. This expectation forms a psychological contract where employees believe that their reports will be taken seriously and that they will be protected from any form of retaliation. In return, the employees commit to being vigilant and responsible for reporting potential security threats. This contract reinforces a strong security culture within the organization. However, if the company fails to protect employees who report security incidents, or if it ignores their reports, it breaches this contract, leading to a culture of silence and potentially unreported security risks. Conversely, if employees fail to report observed security issues, they are not upholding their end of the psychological contract, weakening the organization’s overall security.

Trust in the Security Team

Transparent communication enhances trust in the security team, resonating with the Trust Theory. This theory emphasizes the importance of building trust through transparency and open communication, which is crucial in any relationship, such as between a doctor and patient, where clear and honest communication builds trust and improves treatment adherence. Same for the security team: it is crucial, that cybersecurity is not seen as a unnecessary discomfort to the business, but that the security team is trusted to balance necessary security controls with interruptions of everydays tasks for the employees.

Examples for the Trust Theory

  1. Transparent Communication about Security Breaches
    In a scenario where a company experiences a security breach, the Trust Theory can be applied in how the company communicates with its employees and stakeholders. If the company quickly, transparently, and accurately informs its employees about the breach, the nature of the compromised data, and the steps being taken to mitigate the issue, it builds trust.
    This open communication shows that the company values its employees and stakeholders, and is committed to resolving issues. On the other hand, if the company hides the breach or delays communication, it risks eroding trust, which can lead to lower employee morale and a tarnished reputation. In the realm of cybersecurity, swift and transparent communication following a breach is crucial in maintaining trust.

  2. Implementation of Employee Surveillance Software
    Consider a company that decides to implement surveillance software to monitor employee activities on company devices for security purposes. Trust Theory plays a significant role in how this action is perceived.
    If the company clearly explains the reasons for this monitoring, how it will be conducted, and assures that it respects employee privacy to the maximum extent possible, it can maintain trust. Employees are likely to understand and accept these measures as necessary for security.
    However, if the company implements this surveillance secretly or without clear communication, it can lead to distrust and a feeling of being spied upon.

  3. Collaborative Development of Security Policies
    In an organization where security policies are developed collaboratively with input from various departments, including IT, HR, and employee representatives, Trust Theory is at play.
    By involving employees in the policy-making process, the company shows that it values their input and trusts them to contribute to the organization’s security. This approach can lead to more effective policies, as they are grounded in the practical experience of those who will be implementing them. Additionally, employees are more likely to adhere to these policies as they have played a role in shaping them.
    Conversely, if security policies are imposed top-down without employee input, it can lead to a lack of trust and a feeling that management does not respect or understand the daily challenges employees face, potentially leading to lower policy adherence.

Choong and Theofanos investigated strengths and weaknesses of security policies of a company by looking at how its employees perceived these policies. They found that even if such policies should contribute to increase the overall security, they often neglect human factors and thus they may not yield the desired results. [4]

Sustainability of Security Measures

When employees are pre-informed about phishing simulations, it can lead to long-term vigilance, aligning with the Adult Learning Theory. This theory suggests that adults learn best when they understand the relevance and importance of the information.

Corradini and Nardelli claimed that employees are the first line of defense from cyber attacks. They suggest that analyzing the users’ perception of risks is the first step to tailor educational programs aimed at changing the attitude of users toward cyber attacks. [4]

Examples for the Adult Learning Theory

  1. Tailored Cybersecurity Training for Different Departments
    In an organization, different departments may face unique cybersecurity risks based on their specific roles and access to information. For instance, the finance department might be more susceptible to phishing attacks related to financial transactions, while the HR department might be targeted for sensitive employee data.
    Applying the Adult Learning Theory, training programs should be tailored to the specific needs and contexts of each department. This approach acknowledges that adult learners benefit more from training that is relevant to their specific roles and experiences. By providing context-specific training, employees are more engaged and less likely to be tricked into thinking that general cybersecurity practices are enough for their unique situations. This targeted learning approach helps in creating a more robust and aware workforce across different facets of the organization.

  2. Interactive Cybersecurity Workshops with Real-World Scenarios
    Instead of traditional lecture-based training, organizations could implement interactive cybersecurity workshops that simulate real-world scenarios. These workshops could involve role-playing exercises where employees respond to simulated phishing attempts or breach incidents.
    The Adult Learning Theory suggests that adults learn better through practical, hands-on experiences and problem-solving. By engaging in simulations that mimic real-life situations, employees can better understand the consequences of security lapses and the importance of following protocols. This experiential learning helps in cementing cybersecurity concepts, making employees less likely to be deceived in actual situations.

  3. Participatory Policy Development Workshops
    Organizations can involve employees in participatory workshops to develop or revise cybersecurity policies. According to the Adult Learning Theory, adults feel more invested in learning when they are actively involved in the process. In these workshops, employees contribute their insights and discuss potential security threats they encounter in their daily work. This participative process helps in creating policies that are not only comprehensive but also relevant to the actual challenges faced by employees.
    When employees understand the rationale behind policies and contribute to their development, they are more likely to adhere to these policies and less likely to be misled by security threats. This approach also helps in uncovering potential security blind spots that might be overlooked in a top-down policy development process.

Trust culture within an institution

According to Volkamer, M. et al [3] the decission if and how a phishing campaign is announced, has profound implications:

  1. Impact on Workplace Relationships and Trust Culture:
    If a phishing campaign is extensively announced, it may lead to increased inquiries to potential senders. In cases where inter-employee relationships are already strained, these inquiries could be misinterpreted, potentially leading to new conflicts.
    On the other hand, if the campaign is not announced and employees recognize the simulated phishing message, they might suspect their colleagues of trying to deceive them. This situation can also inevitably lead to conflicts. Consequently, phishing campaigns, especially those involving messages purportedly from other employees, can negatively impact the workplace atmosphere and the trust culture within the institution.

  2. Employee Perception and Response to Phishing Campaigns:
    Employees who are not properly informed about phishing campaigns might feel deceived. This feeling of deception can lead to a lack of trust in the leadership of the institution, which is detrimental to maintaining effective security compliance.
    The lack of transparency and prior education regarding the recognition and handling of phishing messages is seen as unfair. When employees discover an ongoing undisclosed campaign, it negatively affects their sense of self-efficacy, leading to resignation and a reduced effort to recognize phishing attempts in the future.

  3. Consequences of Employee Humiliation:
    Employees who fall for poorly executed phishing messages might be treated with disrespect by their colleagues, further harming the workplace atmosphere.

But what about realistic testing?

Conversely, some argue that not informing employees creates more realistic conditions, in line with the Situational Leadership Theory. "Situational theorists believe that leadership is a matter of situational demands or circumstances that would determine the emergence of a leader […]" [2] and "despite criticism for weak theoretical foundations and limited research support, this model has been widely used in leadership training within the corporate environment as well as many military settings." [2]
This theory suggests adapting leadership strategies based on the readiness and maturity of the employees.
For example, in parenting, a parent might choose a different approach for a teenager as opposed to a toddler, based on their maturity and understanding levels.

In my view, a security team should eschew any implicit hierarchy and collaborate as an equal partner within the organization, maintaining parity with all employees.

It remains a dilemma whether to conduct phishing simulations without prior notice, as one presents a conflict between achieving realistic testing conditions and the other maintaining fairness towards employees and creating a great security culture. As we explore the effectiveness of phishing simulations, the ethical considerations in phishing tests emerge as a pivotal factor, especially in the context of creating realistic yet fair training environments.

Realistic Testing Conditions

  • Unannounced Simulations: Conducting phishing simulations without prior warning or education offers a more realistic test of employees’ natural vigilance and reflexive responses to phishing attempts. In real-world scenarios, individuals are not forewarned about phishing attacks, making unannounced simulations a true test of an organization’s cybersecurity preparedness.
  • Immediate Assessment: This method allows organizations to assess the current level of awareness and preparedness among employees, providing a clear, unfiltered picture of potential vulnerabilities in their human firewall.
  • Authentic Reactions: Unannounced simulations capture genuine reactions and decision-making processes, offering valuable insights into areas where training is most needed.

The Issue of Fairness

  • Lack of Preparedness: Without prior education on how to detect phishing emails, employees are essentially ‘set up to fail.’ This approach can be perceived as unfair, as it assesses employees on skills they have not been adequately equipped to handle.
  • Impact on Morale and Trust: As described above, discovering that they have been part of an unannounced test, especially if they fall for the phishing email, can lead to feelings of betrayal and embarrassment among employees. This can erode trust in the organization and its leadership, creating a sense of being tested in a ‘gotcha’ scenario rather than being supported in their professional development.
  • Risk of Negative Reinforcement: Employees who fall for the simulation without having been given the tools to recognize it can become demoralized. This experience might not be educational but punitive, reducing their confidence and potentially leading to a resigned attitude towards cybersecurity practices.
  • Ethical Considerations: There are ethical implications in testing employees without prior education. It raises questions about the balance between the need for security and respect for employees’ dignity and professional development needs.

Balancing Realism and Fairness

  • Transparent Communication: Communicating the purpose and benefits of these simulations, even if details about an upcoming phishing simulation are not disclosed, can prepare employees for the possibility of such tests and mitigate feelings of unfairness or deception.
  • Baseline Testing Followed by Education: if transparent communication about the process has been used, conducting an initial, unannounced phishing test to establish a baseline, followed by comprehensive education and regular, informed simulations seems a good way to balance realistic results while maintaining the trust in the security team and the security culture in an organisation.

In summary, the decision to inform employees about ongoing phishing simulations depends on the company culture and cybersecurity strategy goals. The key is finding a balance that maintains trust and at the same time educates employees without creating an environment of suspicion or fear.

While discussing the various strategies for cybersecurity training, a significant focus is placed on the ethical considerations in phishing tests, highlighting the need for a balanced approach that respects employee rights and fosters a positive learning environment.

But maybe phishing simulations aren’t the best way to train your users anyway, as this research suggests:

Because training requires time, it is often avoided. Less timedemanding approaches should be designed, such as integrating into warning messages for phishing attacks fragments of knowledge on how to recognize phishing sites besides alerting the users […]. The results of the recent study by Xiong et al. […] indicate that providing training information in warning messages does not overload users and the messages are effective.[4]

Conclusions about ethical considerations in phishing tests

As we navigate the intricate web of phishing simulations, transparency, and trust within a possible cybersecurity framework, it becomes increasingly clear that the path ahead is not just about choosing between announced and unannounced simulations. The real challenge lies in integrating these exercises into a broader, more holistic cybersecurity strategy.

But questions remain: How do we effectively measure the impact of our training methods? What alternative approaches can we employ to ensure our employees are not only aware but also resilient against cyber threats? And amidst all these considerations, how do we align our strategies with the stringent legal and compliance frameworks, especially in the nuanced landscape of German data protection laws?

In upcoming articles, we will delve deeper into these questions, exploring innovative approaches and solutions that balance security needs with ethical considerations and legal compliance. The journey towards a robust and resilient cybersecurity culture is complex and multifaceted, and one thing is certain – the decisions we make today will shape the security landscape of our organizations for years to come. Stay tuned as we unravel these challenges and discover different approches in the realm of cybersecurity training and awareness.


Sources:
[1] Alex Sumner, Xiaohong Yuan, Mohd Anwar & Maranda McBride (2022) Examining Factors Impacting the Effectiveness of Anti-Phishing Trainings, Journal of Computer Information Systems, 62:5, 975-997, DOI: 10.1080/08874417.2021.1955638

[2] Arenas, F. J., Connelly, D., & Williams, M. D. (2017). Situational Leadership. In Developing Your Full Range of Leadership: Leveraging a Transformational Approach (pp. 9–11). Air University Press. http://www.jstor.org/stable/resrep13849.14

[3] Volkamer, M., Sasse, M. A., Boehm, F. (2020). Phishing-Kampagnen zur Mitarbeiter-Awareness : Analyse aus verschiedenen Blickwinkeln: Security, Recht und Faktor Mensch. Karlsruher Institut für Technologie (KIT).
https://publikationen.bibliothek.kit.edu/1000119662

[4] Desolda G., Ferro L., Marrella A., Catarci T., Costabile M. (2021)
Human Factors in Phishing Attacks: A Systematic Literature Review. ACM Comput. Surv. 54, 8, Article 173
https://doi.org/10.1145/3469886

[5] Lastdrager E., (2014). Achieving a consensual definition of phishing based on a systematic review of the
literature. Crime Science 3, 1 (2014), Article 9. https://doi.org/10.1186/s40163-014-0009-y


Tags

awareness training, ethics, phishing, phishing simulations, security awareness, security culture


You may also like

Leveraging Psychology in Cybersecurity: Strategies for SMEs

Leveraging Psychology in Cybersecurity: Strategies for SMEs

Summary of a LinkedIn Post Series: Ideas and Insights for Effective Security Awareness in Cybersecurity Awareness Month

Summary of a LinkedIn Post Series: Ideas and Insights for Effective Security Awareness in Cybersecurity Awareness Month
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}