Running an Effective Phishing Simulation Program: Part 1, The Basics

Phishing simulation programs, when well designed, can be an effective way to help educate employees about the importance of information security and phishing attacks. However, they also run the risk of alienating employees who feel as though the security team is out to get them or that their employer is putting them through constant tests for no reason at all. How a program is rolled out, run, and communicated can make a huge difference in employee experience and program effectiveness.

For most employees, the phishing program is the most frequent (or only) contact they'll have with the security team, and it can heavily impact their opinion of the security team (and how willing they'll be to work with the team in other cases - like assisting with security incident investigations). That also provides an opportunity to pro-actively create a positive relationship with employees who otherwise wouldn't have a positive opinion of the security team.

Start with the basics:

1. If you're starting a completely new program, first figure out how you want to send phishing emails. You can set up your own servers with Go Phish (open source), or opt for a vendor solution such as Cofense (formerly PhishMe) or Proofpoint. Vendors can make the process significantly easier with a range of services - from offering pre-created templates for you to customize to a fully managed service where you simply supply a list of employees and approve campaigns before they're sent. The choice depends largely on your budget and team's capacity.
2. If you don't already have one, develop and communicate a process for employees to report suspicious emails. Many third-party providers will offer an add-in or browser extension which will make this process easier, but it can be as simple as asking employees to send emails as attachments to an inbox that you've set up specifically for this purpose.
3. Then, ensure you have a process in place for responding to those emails. Within a reasonable timeframe (perhaps 24 or 48 hours), someone should review the email and follow up with the employee. Ideally you'll have a form response which can communicate the finding (whether the email was malicious, spam, legitimate, or part of a phishing simulation), any next steps, a thank you for reporting the email, and your team's contact information (ideally this is something easy to remember like phishing@yourcompany'sdomain.com). This feedback is an incredibly important part of any phishing program - it helps reinforce that everyone's effort is needed to protect the  company from security threats and it helps employees learn from the emails they submit. There are tools that can make this process easier (or even fully managed services that will handle the review and response process for all emails), many from the same vendors as the phishing simulation tools above.
4. Leverage reported emails to develop a sense of what types of phishing emails your employees are receiving. This information can do most of the work of creating scenarios for you, as scenarios should closely match the type and sophistication of phishing emails employees are actually receiving. Typically it makes sense to start with easier phishing emails and gradually increase the difficulty as employees become more accustomed to the process.
5. Develop goals for your program - with what frequency do you plan to phish your employees? What results would you like to see? This depends heavily on the capacity your team has to develop and send scenarios (and whether or not you're outsourcing the development of scenarios to a vendor). Typically quarterly or monthly scenarios are best, as increased frequency tends to improve employee awareness to phishing emails.
6. Ensure you have a way for employees to access mandatory or recommended education on how to avoid phishing emails. Giving employees access to education is key - both so they have the tools to successfully identify phishing emails and so they feel confident in their ability to spot phishing emails (and don't feel as though the simulations you'll be sending are an impossible trick). This training can be as simple as blog posts your team puts together (for example posting a phish an employee received with the 'clues' that this email was a phish - a spoofed sender, poor grammar, appeal to emotion or urgency, etc.) or videos/training created by a vendor. The important thing is clearly communicated access to training for all employees. The more closely this training is tied to the real world consequences of phishing emails, the better. Folks in your organization are far less likely to find the phishing emails to be an evil trick if they understand the real-life dangers phishing poses to your company.
7. Work with your HR team to develop and send out a communication warning employees about simulation phishing emails which will be sent to employees. It's particularly important to highlight the real world dangers that phishing emails present, how employees can report phishing emails, and where they can access education to learn more about identifying these emails. Ideally this should also be integrated into onboarding information for new hires.
8. Start sending phishing emails! Start out with relatively easy scenarios, gradually increasing the difficulty as appropriate. Try varying the day and time you typically send simulation emails.
9. Provide feedback - both immediately (upon clicking a link in the phishing email or opening an attachment, the employee should get feedback on the signs that they've missed (spoofed sender, poor grammar, appeal to emotion or urgency, etc.) and a few days later (for example, an email which recaps the same  information). You want your feedback to come at a time when employees still remember the scenario you've sent so they can learn from each scenario. Ideally this feedback will tie in the the real world consequences of phishing (through statistics about phishing or real numbers of phishing emails your organization receives) and if possible, the real phishing email your campaign is based upon. The more closely the email ties into real life threats, the easier it is for employees to see the tangible links between the simulations and their role in protecting the organization from threats.
10. Track the results. Figure out what is important to your stakeholders (i.e. what story you want to tell them), and which metrics support that story. I suggest starting with susceptibility rate (what percentage of your employee population has fallen for the phishing email?) and reporting rate (what percentage of your employee population has reported the email?). Personally, I place a higher emphasis on reporting rate, as I'm more concerned with employees reporting any suspicious emails they receive, than with them falling victim to one or two. Everyone has a perfect phish, and expecting a 0% susceptibility rate is unrealistic. More realistic is to expect that some percentage of the employee population will always fall for a phishing email, but that a high percentage of them will report it - enabling your team to take appropriate action to prevent it from impacting your network.

At this point, your program should be in a solid place with repeatable processes, metrics for stakeholders, and engagement with employees. Improving the program often comes with attending security awareness conferences held by the ISACs, security vendors, and other organizations, as well as reading and writing blogs, and participating in online communities and trust groups in order to develop new ideas and network with other security professionals.