To date, the only pro-active, user-focused solution against spear phishing has been cyber security awareness training. However, multiple lines of evidence—from continuing news stories of bigger and bolder breaches to objective academic assessments of training effects—point to its limited effectiveness.
Yet, organizations continue to spend millions of dollars and countless man-hours on it. The problem is our current approach of providing the same form of training to everyone: it is is akin to prescribing the same medicine to every patient, sometimes repeatedly, without so much as diagnosing him or her. Small wonder then that spear phishing continues to wreck havoc. At the core of the problem is our inability to diagnose what ails the patient: Who is at risk from spear phishing? Why are they at risk? And how much of a risk are they?
The current presentation will provide a mechanism for answering these questions by using the Cyber Risk Index (CRI)—an empirically derived quantitative metric that helps identify the likely victims of different spear phishing attacks, reasons for their victimization, and the remedial measures that would best work to protect them. CRI scores range from 0–100 and can be derived using existing training and simulated spear phishing/pen-testing methods that most organizations use. Using a case study of an actual spear phishing pen-test that was conducted in a large, US based financial firm, the presentation will detail how CRI scores are derived and used. The talk will detail how the CRI helped assess the value of training and identify why training worked for some employees while not for most others. It will also discuss how the CRI helped identify the weak-links in the organization, design individualized training and protections, track improvements—and overtime improve individual readiness and enhance the organization's cyber reliance.