Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/cR0w/statuses/111737870839892420">cR0w :cascadia: (cr0w@infosec.exchange)'s status on Friday, 12-Jan-2024 09:31:48 JST</a><a href="https://infosec.exchange/@cR0w" title="cr0w@infosec.exchange"><img src="https://gnusocial.jp/avatar/161036-48-20250701210839.webp" width="48" height="48" alt="cR0w :cascadia:" style="position: absolute; left: 0; top: 0;">cR0w :cascadia:</a><div><a href="https://infosec.exchange/@cR0w/111732753173520746" rel="in-reply-to">in reply to</a></div></section><article><p>This got more responses than I'm used to, which is brilliant, but I don't think I can respond to them all. And based on some of the responses, I don't think I was entirely clear, so here's a bit of a follow-up:</p><p>It's possible there is a baseline of clicks recorded by previews, scanners, and users attempting to be careful in how they approach the link ( i.e. curl | less ). However, this is an enterprise product that has been in use for a while, including by this org, and if it was assigning users training that didn't click, I would think it would have been addressed. I don't know for sure though since I don't run that software.</p><p>Several people mentioned potential reasons for users clicking: They're curious, they don't care about the org, they're trying to get a new laptop, the training makes for an easy workload for part of a day, etc. The thing is, I don't care. At all. My point in this was to prove that links will continue to get clicked, regardless of how well users are trained or informed. Intent and blame are meaningless here. What matters is that systems are built with that expectation in mind from the start. And while basic user training is beneficial, beyond checking a compliance checkbox, it provides no security benefit.</p><p>As far as metrics in relation to other months of "training" in 2023 go, the number of views were roughly the same as other months, the number of reported emails were above average, but not as high as some months with attempted ruses, and the number of clicks was higher than two of the other months. Read into that what you will, but my only takeaway from that is that links get clicked.</p><p>I also didn't mention that a big part of why I approached the phishing trainer when I did is because of the human element. End of year with the holidays and layoffs all over the place are a stressful time on their own. Creating a false hope for something like a bonus or gift in the name of security or training is an idea that needs to die. Users, otherwise known as the people who actually keep the org running, are already stressed. Don't make things worse.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2569133#notice-5098123">In conversation</a><time datetime="2024-01-12T09:31:48+09:00" title="Friday, 12-Jan-2024 09:31:48 JST">Friday, 12-Jan-2024 09:31:48 JST</time> <span>from <span><a href="https://infosec.exchange/@cR0w/111737870839892420" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@cR0w/111737870839892420">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: benefit.As</div><h5><a href="http://benefit.As/">benefit.as is parked</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
cR0w :cascadia: (cr0w@infosec.exchange)'s status on Friday, 12-Jan-2024 09:31:48 JST cR0w :cascadia:
in reply to
This got more responses than I'm used to, which is brilliant, but I don't think I can respond to them all. And based on some of the responses, I don't think I was entirely clear, so here's a bit of a follow-up:
It's possible there is a baseline of clicks recorded by previews, scanners, and users attempting to be careful in how they approach the link ( i.e. curl | less ). However, this is an enterprise product that has been in use for a while, including by this org, and if it was assigning users training that didn't click, I would think it would have been addressed. I don't know for sure though since I don't run that software.
Several people mentioned potential reasons for users clicking: They're curious, they don't care about the org, they're trying to get a new laptop, the training makes for an easy workload for part of a day, etc. The thing is, I don't care. At all. My point in this was to prove that links will continue to get clicked, regardless of how well users are trained or informed. Intent and blame are meaningless here. What matters is that systems are built with that expectation in mind from the start. And while basic user training is beneficial, beyond checking a compliance checkbox, it provides no security benefit.
As far as metrics in relation to other months of "training" in 2023 go, the number of views were roughly the same as other months, the number of reported emails were above average, but not as high as some months with attempted ruses, and the number of clicks was higher than two of the other months. Read into that what you will, but my only takeaway from that is that links get clicked.
I also didn't mention that a big part of why I approached the phishing trainer when I did is because of the human element. End of year with the holidays and layoffs all over the place are a stressful time on their own. Creating a false hope for something like a bonus or gift in the name of security or training is an idea that needs to die. Users, otherwise known as the people who actually keep the org running, are already stressed. Don't make things worse.
In conversationFriday, 12-Jan-2024 09:31:48 JST from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: benefit.As
  benefit.as is parked

Public

Embed Notice

HTML Code

Corresponding Notice