The awareness module on email and person-to-person messaging is gradually taking shape.
Today we've brainstormed the information risks associated with email and P2P messaging and arranged them on an Analog Risk Assessment graphic:
So far, the risks are scattered across the green and amber zones with none in the red high-risk region. However, there are more than 20 risks already identified hence, taking them all into account, the cumulative risk is significant. Furthermore, many directly concern employees' insecure use of email/P2P systems - falling for scams, making typoos and inappropriately trusting the veracity of messages for examples. This is clearly an important topic for security awareness purposes.
We'll reconsider, adjust and refine the risks as the module develops, using the ARA graphic to illustrate some of the briefing papers and presentations.
By the way, phishing is but one of the 20+ information risks in this domain. Even if we group it with spear-phishing, whaling and other social engineering and coercive attacks using email, there are many others too. You might like to think about that if your idea of a security awareness program involves mock-phishing attacks but not much else. Mock-phishing tests can be valuable as PART of the approach, just as strength-testing seatbelts is PART of driving safety.