Two years ago, the Belgian Center for CyberSecurity created a set of webinars for Small & Medium Businesses. The goal was to educate Belgian entrepreneurs with the basic knowledge required to protect their business.
After a few difficulties, some delays and a new federal government in construction, the webinars have been officially published a few days ago.
I do not think it is still necessary to explain that phishing is a major threat for businesses and individuals. By now, most companies have one type of phishing training or another. But, does it work?
Phishing exercises are, so far, the best way to measure the susceptibility of people to fall for a Phishing email. So, if we want to measure if our training is working, we launch a Phishing exercise before the training, and then, we perform another after. If our Phishing education was efficient, we should see a negative trend. Right? If we perform exercises every quarter, we should obtain something like that:
Looks good, isn’t it? Except we don’t know why there is a bump in the numbers in Q3. Maybe is it due to the summer holidays. Who knows?
Well, maybe it’s due to the scenario you used. If we had performed the exercises with the same scenario in a different order, we might have had something more like this:
Less impressive, isn’t it? And we would probably have some difficulty to explain the serious increase in numbers in Q2. What could be wrong? Our measurement is wrong.
Siadati et al. published an excellent article in 2017 highlighting this very issue. As the variance between scenarios can be as high as 40% (our research showed that it could be up to 60%), we cannot rely on inter-scenarios measurement to measure the efficiency of our training. To say otherwise, the difference in the percentage of people clicking on a phishing link between two phishing scenarios sent to the same people at the same time can be as high as 60%.
Instead, they suggested using a system using multiple scenarios in parallel. The scenarios are used repeatedly with different groups of the population (groups are randomized). In our example, this would give this:
As you can see, we now have the four same scenarios sent to four groups of people in our population. Notice the 42% gap between scenario 2 and scenario 4 in Q1. The blue and yellow cells highlight the numbers we used for the two previous examples. Sames scenarios, same people, and a totally different, more accurate, measurement of our progress.
This protocol requires a yearly plan (that we should have anyway) and a sufficently big enough population to have, at least, 30 persons in each group (for statistical signifiance).
There are, unfortunately, other pitfalls in our metrics that we have to take into account but that will be the subject of another post (and included in a short document we will publish very soon).
Quant il s’agit de laisser nos enfants découvrir les merveilles qu’offre Internet, et seulement les merveilles, il existe le filtre de recherche de Google afin de limiter les résultats à des sites moralement acceptable. Seulement, vous n’avez peut-être pas envie de laisser Google surveiller l’activité de vos enfants puis vous préférer peut-être limiter l’accès depuis la machine à un moteur de recherche dédié à nos petites têtes blondes. Qwant a exaucé votre souhait.
Si vous ne connaissez pas Qwant, il s’agit d’un moteur de recherche français créé en 2013. Grâce à un investissement de 25 millions d’euro de la banque d’investissement européenne fin 2015, le moteur prend désormais de la carrure et s’ouvre à l’Europe.
En 2014, Qwant a lancé Qwant Junior (https://www.qwantjunior.com/), un moteur de recherche destiné au enfants et adolescents, leur offrant un contenu ciblé en termes de sites, d’information, d’images et d’actualité. Qwant Junior peut-être utilisé comme moteur de recherche par défaut dans la barre de votre navigateur préféré, évitant ainsi que nos enfants ne retombent par hasard sur un résultat de recherche inapproprié via Google ou Bing.
Qwant et Qwant Junior étant des produits Français, ils sont soumis à la législation Européenne relative à la protection de la vie privée et se targuent même d’être « Le moteur de recherche qui respecte ta vie privée ».
Avec le lancement de notre projet de distribution Linux pour Raspberry Pi destinée aux enfants et aux écoles (Kidnux, bientôt en ligne sur https://www.kidnux.org), nous publieront très bientôt de nouveaux liens vers des sites éducatifs et des nouvelles astuces pour sécuriser facilement et gratuitement les ordinateurs utilisés par vos enfants et entre-autres, comment prévenir la navigation vers des sites peu recommandables.
