Measuring Phishing Risk

Image result for phishing

Phishing embodies both social engineering and technical subterfuge to disguise threatening behaviors and actions. Specifically, phishing  employs spoofed e-mails, seemingly  from legitimate businesses and agencies, designed to trick recipients into activating links or opening attachment files. The objecting being to lead unwitting victims to counterfeit Web sites that trick recipients into divulging financial data, credentials, or attack their browsers with malware..

The Problem

Phishing has become the attack vector of choice for cybercriminals seeking to breach corporate cybersecurity defenses.  This is due, in part, to the fact that corporations are a victim of their own success; their perimeter defenses are strong as the result of effective network engineering,  firewall deployment, and  Penetration Testing.  This often makes Phishing the “path of least resistance” to gaining a foothold inside the enterprise and leaves employees as the weakest link in the defensive chain.

The Solution

There are two ways that companies strive to protect themselves from Phishing attack: awareness and testing. The former involves sensitizing employees to the threat of phishing through training and awareness initiatives designed to put individuals on their guard. Progress is hard to measure, however, leading to the second approach, namely the conducting of internal (i.e. sanctioned) phishing exercises in an attempt to calibrate overall risk, identify repeat offenders, and illuminate trends..

The Approach

A well planned and designed internal phishing campaign can be effective in assessing an organization’s overall vulnerability to phishing attack as well as a means to identify those personnel posing the greatest risk.

We suggest the following Best Practices for internal Phishing exercises:

  • Manage the exercise like a project with a well-defined plan and timeframes
  • Plan to conduct multiple blasts of phishing emails for each target to ensure sufficient and fair “participation” and meaningful results
  • Define a scoring scheme that rewards good behavior and penalizes bad behavior
  • Be prepared with a documented “remediation” plan for handling high risk individuals. Coordinate with HR department to ensure the fairness and legality of your plan.
  • Employees should be aware of how to report suspicious emails within the organization

The Metrics

We suggest the following realities be reflected in the metrics you capture from your phishing initiatives:

  • Targets should not be penalized for reading a phishing email
  • Targets should be penalized for clicking a link in a phish
  • Targets should be penalized for surrendering sensitive information such as login credentials, to a greater degree than those who only click
  • Ignoring a phish should be rewarded
  • Reporting a phish should be rewarded, and to a degree greater than just ignoring it

This leads us to the following “Phishing Risk” calculation scheme which uses a single score within a 10 point spectrum to reflect the relative phishing risk associated with a target, based on their previous behavior across multiple phishing exercises. Targets begin with a “neutral” score (5) in the middle of the range and the score is increased or decreased based on their reaction to internal phishes. Thus, the higher the score, the more risk the target represents.

Specifically, the score is changed as follows for each of the indicated “behaviors” observed:

Ignores phishing attemptdecrease score by 1
Reports phishing attemptdecrease score by 2
Clicks on phishing attemptincrease score by 1
Surrenders sensitive info during phishing attemptincrease score by 2

After several (we suggest a minimum of 4) phishing attempts, the target has likely distinguished themselves into one of the following risk categories: 

0 ≤ SCORE ≤ 3 3 < SCORE ≤ 7 7 < SCORE ≤ 10

Identifying high-risk individuals in this way is objective, measurable, and fair.  Remediation should occur per your previously defined remediation plan.


Internal phishing exercises are valuable and can be an effective means to understand the organization’s overall vulnerability to phishing, identify high-risk individuals, and demonstrate (hopefully downward) trends in bad behavior. To do so requires strong planning and execution not only of the phishing blasts, but that also takes place in careful coordination with training and remediation plans.