Can Training Reduce Spear Phishing Risk?

In this case study shared by RiskLens and the FAIR Institute in 2016, the analysis explores how training and awareness programs can potentially reduce the risk associated with spear and regular phishing attacks targeting sensitive customer data stored on internal systems. The results indicate an estimated reduction in loss exposure with the implementation of phishing awareness training, emphasizing the importance of such programs in mitigating cybersecurity threats.

• Training
• Phishing
• Risk Reduction
• Case Study
• Cybersecurity

jazm_939 Follow

Uploaded on Mar 01, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS 1 CONFIDENTIAL - FAIR INSTITUTE 2016

2. ANALYSIS SCOPING RISK SCENARIO DESCRIPTION Understand if training can reduce risk associated with spear and regular phishing ASSET(S) DESCRIPTION Sensitive customer data (PII & potentially HIPAA) stored on internal systems LOSS TYPE Confidentiality THREAT(S) DESCRIPTION Targeted spear and regular phishing attacks by external threats 2 CONFIDENTIAL - FAIR INSTITUTE 2016

3. ANALYSIS SCOPING Assessing Risk Reduction By Comparison of Scenarios Assessed current state s risk based on known controls in place today* Assessed how much risk there would be, given the implementation of a phishing awareness/training program *ASSUMPTION: Current state included various email filtering/gateway controls that reduce the number of phishing emails that arrive in an employee s inbox. 3 CONFIDENTIAL - FAIR INSTITUTE 2016

4. ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK) Analysis Minimum* Average Maximum* CHANGE Current State $4K $400K $2.3M Average loss exposure reduction $15K w/ Awareness Training $2K $385K $2.2M *Min represents the more probable 10th percentile of simulation results. *Max represents the more probable 90th percentile of simulation results. 4 CONFIDENTIAL - FAIR INSTITUTE 2016

5. ANALYSIS RESULTS Estimated Loss Exposure for a Single Event * There is an additional probability assigned to the likelihood; when a phishing email campaign is successful, the threat actor is able to leverage that foothold to identify, obtain, and exfiltrate sensitive data successfully. 5 CONFIDENTIAL - FAIR INSTITUTE 2016

6. ANALYSIS RESULTS Interpret Results AWARENESS AND TRAINING Reduce the probability that any phishing emails that get through the email gateway and filtering would be opened and some action taken by an employee AWARENESS CAMPAIGN Estimated* to reduce probability of employee action by 8-25% Important Note:We defined a phishing campaign as a threat event . A single spear or regular phishing campaign often includes many individual emails. *using an uncertain distribution 6 CONFIDENTIAL - FAIR INSTITUTE 2016

7. ANALYSIS RESULTS Why Is Change So Small? Industry data on phishing campaigns show 90% success probability 99% if run a second time It only takes one employee taking action for the threat to gain a foothold in the network. 7 CONFIDENTIAL - FAIR INSTITUTE 2016

8. ANALYSIS LEVERAGED THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude 8 CONFIDENTIAL - FAIR INSTITUTE 2016

9. THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude 9 CONFIDENTIAL - FAIR INSTITUTE 2016

10. ANALYSIS CONSIDERATIONS Frequency of phishing campaign emails landing in employee inboxes Estimating the resistance of the workstation based on configuration/patching The probability that an employee will take action on the email by clicking links opening attachments providing sensitive information 10 CONFIDENTIAL - FAIR INSTITUTE 2016

11. THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude 11 CONFIDENTIAL - FAIR INSTITUTE 2016

12. ANALYSIS INPUT PRIMARY LOSSES Incident response Investigation SECONDARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement 12 CONFIDENTIAL - FAIR INSTITUTE 2016

13. DECISION SUPPORT / ROI THIS ANALYSIS SUPPORTED MANAGEMENT S PRIORITIZATION Training did not show any material reduction of risk associated with phishing campaigns Management decided to pursue an alternative phishing-related control, email sandboxing, over training Sandboxing has higher costs, but the risk reduction was far more significant (separate analysis conducted) 13 CONFIDENTIAL - FAIR INSTITUTE 2016