On Fire Drills and Phishing Tests

Modern phishing tests, much like early fire evacuation tests, focus on individual performance and often result in blaming employees for falling for simulated attacks. These tests, while mandated by regulations like FedRAMP, lack evidence of reducing successful phishing attacks and can be counterproductive, as shown by research on "repeat clickers." Furthermore, bypassing existing anti-phishing defenses for testing purposes creates an inaccurate risk perception and burdens detection and response teams with unnecessary reports. This approach also damages trust between employees and security teams. Instead of these adversarial tests, the cybersecurity industry should adopt a "phishing fire drill" approach, similar to modern fire safety practices. This involves educating employees on identifying and reporting phishing attempts through clear instructions and practice exercises. A phishing fire drill would focus on training employees to recognize phishing emails and report them effectively, rather than tricking them. Metrics collected during these drills would focus on reporting speed and engagement, providing valuable data for security teams. Ultimately, while educating employees about phishing is crucial, a more effective long-term solution lies in investing in secure-by-default systems and engineering defenses like unphishable credentials and multi-party approval processes for sensitive operations. This shift in approach would foster a more collaborative and less adversarial security culture, empowering employees to become active participants in organizational security. By acknowledging the limitations of human fallibility and prioritizing robust system defenses, organizations can better mitigate the risks posed by phishing attacks.