Wednesday, February 4, 2009

Missing the Point

I have been keeping an eye on this story about the Justice Department testing their security awareness training. It looks like has just about played out and that most of the facts are known. So I guess I will spend a few minutes and comment.

The point of the exercise has been lost due to the media scrutiny.

It has moved onto "you caused other components so much work", "you didn't coordinate", etc, etc. My take away from this entire story is that it is a story at all.

The training program has apparently suffered an epic fail. While I admit, it was probably a bonehead move to not let the supposed target of the scam, everything else is sending a few clear messages:
  • The users didn't recognize the scam, they bought it hook, line and sinker. So much so, they forwarded it to their friends and colleagues in other agencies. Who then also fell for it;
  • Some users did realize what was happening and began to take corrective actions - specifically identified in this story;
  • Something that has been suspiciously been omitted are the statistics.
I did try to put together a timeline, but if there is an article about it then there is a differing timeline.

What is clear is that there is more work to be done. In the initial story I linked to, there are some words at the end about things improving and fewer people fell for it. The fact that there weren't even some vague generailities about "we sent it to 50,000 people and only 12 went to the site", tells me that it was obviously more than 12. More likely it was something embarrassing, like 25% of the targets. Also, add on people in other agencies who weren't even targetted but went to the site anyway. I think that is more than a few.

Justice will never get 100% of the people to not fall for a phising scam, I do hope that they can get it down to 12. I applaud the efforts of Justice and in the future I would like to see more of this. It looks bad from a PR perspective, I know. As a security professional, it gives me a confidence that more than a powerpoint is being emailed out as security training.

No comments: