Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Jun 22, 2007

Phishing? What's that?

Nearly half the adult population of the UK does not know what phishing is, and relatively few of them understand it well enough to explain it confidently. Despite that headline, the Banking News piece (based on an interview with PayPal's CISO who probably knows a good deal more about phishing than most phishers) ends with a comment that [just] 2% of people fall prey to phishing scams.

Helping that final 2% see the error of their ways is no easy ask of any security awareness program. A proportion of people in any population is naturally resistant to awareness, training and education, for all sorts of reasons: low IQ, dementia, confusion, "cognitive difficulties", perhaps even dyslexia and other recognised communications issues (how many security awareness programs cater specifically for blind IT users, for instance?); short attention span, distractions, no time to focus on the issue; carelessness etc.

Spreading scare stories is one approach, I guess, but that creates a different risk: reducing confidence in the Internet and banking systems is hardly an effective response by the Internet banks.

Our own preferred approach to security awareness is to be creative and engaging in the modes of delivery of information and advice, consistent in the core security messages, and repetitive. Some people just need to be told something more than once. More than once. There may be a fine line between repetition/reinforcement and brainwashing but that fine line is a long way North of once-a-career induction training or once-a-year security awareness sessions. Can you imagine a world in which Coca Cola, for instance, decided only to advertise once a year using just one medium? No point-of-sale displays, no logos on the delivery trucks and product packaging, no more TV and radio advertisements, no competitions, no posters ... no, neither can I.