The ethics of ethical phishing: how to ethically phish your employees

Getting the ethics of deception right is crucial to conduct ethical phishing in a safe manner.

A quick search on the term ‘phishing’ identifies about 80,000 items in Google Scholar; ‘ethical phishing’ returns around 9,700. These results are evidence, primarily, of the many methodologies and strategies employed to understand how and why phishing emails succeed, and the measures required to combat them. The results are also evidence of the vast amount of brain power that continues to go into research to understand and outwit the phisher.

So, while these 80,000+ results may beg the question, ‘what is not known about phishing?’, the more pragmatic questions to ask are:

What are we actually doing about phishing?

and

Are we making best use of the research out there when designing our simulated phishing?

‘Ethical’ phishing?

You may have conducted simulated phishing campaigns within your organisations. That is to say, you’ve sent deliberately deceptive emails to staff to gauge their response (susceptibility). Do they click on that dodgy link? Is the communication reported as suspicious? Do they know how to deal with it? Has the investment in security awareness training paid off?

While such exercises can provide useful monitoring data on security awareness and behaviours which help to quantify risks and identify vulnerabilities, the complexity of phishing vulnerability in the workplace is only just beginning to be understood.

As researchers from a recent study at the University of Bath said: “It is increasingly clear that a one-size-fits-all approach [to phishing] is unlikely to be sufficient, with the wider message, individual and context-related factors…requiring attention.”

Indeed, the debate is ongoing about the usefulness of simulated phishing, a primary objection being it contributes to the development of a negative, blame-based security culture, something the National Cyber Security Centre (NCSC) says is simply ‘not OK’, for good reasons. It believes training should be about ‘building confidence and empowering users’ so they can make informed decisions, not catching people out or punishing them.

The way in

Carefully constructed simulated phishing campaigns can be a useful ‘way in’ to begin to get a handle on security awareness within an organisation, and to begin to consider and understand some of the underlying causes and mechanisms driving response behaviour.

So, what does ‘done well’ mean, and what does it look like? In any endeavour involving human participants, there’s a right and wrong way to do things – so where are the ethics in all this?

The ethics of deception

Clearly, conducting an ethical phishing campaign involves deception. In deliberately sending our employees a link that they shouldn’t click on, or asking them to disclose sensitive data to an untrusted source, we raise questions of trust, self-control, self-awareness, responsibility and accountability.

It is not unreasonable to assume there may be emotional experiences involving anxiety or distress attached, either directly or indirectly, to an experience of deception. We are all human and bring to the workplace a lifetime’s experience shaped by our interaction with our environment, including the people around us. We may know someone who has been the victim of a phishing attack. We may have fallen victim to an attack ourselves.

If an employee feels they have done something wrong by clicking on a dodgy link, difficult emotions of guilt and shame may be triggered. An employer must consider all necessary measures to mitigate against negative consequences of the interventions and actions it undertakes.

The last thing we want to do is antagonise our workforce, cause unwarranted emotional distress among employees, or reduce faith in management effectiveness. So, what’s to be done? Let’s look a little closer…

What can we learn from research about the use of deception?

The value of deception, particularly within psychological research involving human participants, has been and continues to be hotly debated. For those familiar with the famous Milgram study on obedience to authority (1963), the value of deception speaks for itself.

As a simple steer towards a better understanding of the impacts and outcomes of exercises involving deception, social psychologist, Professor Allan Kimmel, says: 

“What is needed… is a careful evaluation of the circumstances under which it [deception] can be employed in the most acceptable manner.”

""

I am inclined to agree, and with that in mind, I thank Rasha Salah El-Din, a researcher from the University of York, for her careful evaluation of circumstances surrounding the conduct of phishing research, from which she proposes a roadmap. I suggest that this roadmap, adapted and applied to a workplace setting, enables phishing campaigns to be conducted ’in a most acceptable manner’. That is, in a way that builds a resilient security culture, fully aware of the many factors at play, including balance against business needs.

How to ethically phish your employees

Overarching guide:

Take the necessary time to plan your simulated attack, identify suitable metrics, and make it a positive experience for your employees. Let’s break it down by phases:

Pre-launch

""

Explain why the campaign is happening and ensure recipients have an opportunity to raise issues or concerns at any point.

""

Prepare suitable notifications for internal communications channels, and ensure senior management, key business units and staff representative groups have been alerted and understand the reasons for the proposed campaign.

""

Prepare your fraudulent email text. You may wish to mimic those already received by your organisation or create your own utilising urgency cues and personalisation; there are many examples out there.

""

Launch

""

Remain mindful of wellbeing both of those who will receive the fake emails and those conducting the campaign. Seek guidance from whoever has responsibility for occupational health – consider how anxiety and panic should be handled – and include any preparatory measures in this regard.

""

Ensure your workforce knows the process for reporting suspicious emails. If the campaign is part of your security awareness training programme, make sure that all employees in the campaign have received prior training. Provide a level playing field and don’t set your employees up for failure.

""

Post-launch and Follow-up

""

Consider your audience and how you will communicate the results of the exercise, including how you will debrief individuals. The underlying causes and mechanisms that trigger responses in your organisation are likely to be complex.

""

Post-campaign focus groups can provide nuanced insights into the contextual factors that may be influencing susceptibility and awareness. Focus groups can also reduce the likelihood of individuals feeling targeted. They serve to promote discussion among colleagues, further raising awareness of security behaviours within the workplace setting.

""

Follow appropriate data protection guidance. If the results of the campaign reveal individual behaviours that pose a high level of risk (and so require mitigating measures) and individual performance data may be shared beyond the scope of the initial exercise, seek the participants’ consent to use their information.

""

Bring added value across the whole organisation by recognising that the language of threat and blame has limitations. Instead, shift the focus towards building a culture of security and support.

""

To err is human

We are all human and prone to error. If an organisation wishes to make cybersecurity everyone’s business, then the care it takes when conducting simulated phishing exercises may translate into the care its employees take in protecting the business. Ultimately, merit will lie in fully understanding the individual within a broader organisational context. Consider the cultural, emotional, cognitive, motivational, technical and other organisational factors at play in employee security behaviours, and design mitigations around those insights.

Or, as our friends at the University of Bath suggest:

“By focusing on the development of collaboration with security in order to achieve mutual goals (ie, to reduce the phishing threat), uncertainties regarding the role and operations of security functions may be reduced and a greater understanding of the vulnerabilities of security systems developed.”

""

So, identify weak links and unacceptable risk behaviours if you must, but then seek to understand and influence the mechanisms that may be influencing those behaviours – ethically, and with skill.

Interest piqued?
See how The Security Company can make a comprehensive analysis of, and recommendations for your information security programme here.