Post 2597228 by FlyingLawyer@infosec.exchange
 (DIR) More posts by FlyingLawyer@infosec.exchange
 (DIR) Post #2561706 by jerry@infosec.exchange
       2019-01-02T23:48:20Z
       
       0 likes, 0 repeats
       
       Idea: phishing simulation system is tied to the HR system, and too many failures results in automatic employment termination.
       
 (DIR) Post #2561764 by thegibson@hackers.town
       2019-01-02T23:49:34Z
       
       0 likes, 0 repeats
       
       @jerry And have you ever found a place that puts real teeth behind phishing simulation policy?
       
 (DIR) Post #2561911 by jerry@infosec.exchange
       2019-01-02T23:55:24Z
       
       0 likes, 0 repeats
       
       @TheGibson not yet, but I am sure there are some that have.
       
 (DIR) Post #2567533 by jeff@infosec.exchange
       2019-01-03T03:35:03Z
       
       0 likes, 0 repeats
       
       @jerry If a company puts that much stake in phishing simulations then there are other technologies that protect users from malicious emails.
       
 (DIR) Post #2597228 by FlyingLawyer@infosec.exchange
       2019-01-03T14:20:33Z
       
       0 likes, 0 repeats
       
       @jerry It might be a little easier to implement if you flip it around: announce at the beginning of the year that the company is putting some of the "bonus" money for 2019 (say $XX,XXX) into a "phishing pool."  Report = 2 points, don't click = 1 point, click = you go back to zero.  At the end of the year every employee gets $XX,XXX*(their points/everybody's points).
       
 (DIR) Post #2597388 by jerry@infosec.exchange
       2019-01-03T14:25:50Z
       
       0 likes, 0 repeats
       
       @FlyingLawyer the best way, i suspect, is leveraging loss aversion by “depositing” a bonus into an account (even if it’s just a placeholder) and then the employee loses money from the account for various infractions as you describe above over the year.  Losing money hurts much more than gaining money feels good. I’ve been told my idea here is too draconian and would create endless labor problems.
       
 (DIR) Post #2601905 by brnrd@bsd.network
       2019-01-03T16:51:41Z
       
       0 likes, 1 repeats
       
       @jerry That'll be the day 😝 I see way too many legit emails from my employer that bear all the hallmarks of phishing. Yet we expect everyone to distinguish between the two. This is seriously f****d up but calling it out hasn't changed a thing just yet :cry:
       
 (DIR) Post #2604641 by FlyingLawyer@infosec.exchange
       2019-01-03T18:12:30Z
       
       0 likes, 0 repeats
       
       @jerry I like that hybrid.
       
 (DIR) Post #2627072 by nbering@infosec.exchange
       2019-01-04T08:39:04Z
       
       0 likes, 0 repeats
       
       @jerry @FlyingLawyer That’s not that terrible of an idea. Research shows that even fake money tied to decision making makes people focus more and take risk decisions more seriously.
       
 (DIR) Post #2630457 by jerry@infosec.exchange
       2019-01-04T11:18:48Z
       
       0 likes, 0 repeats
       
       @nbering @FlyingLawyer I agree.  I was playing a game of brinksmanship, though. I think it says a lot about people’s intuition regarding how effective people can be at identifying and resisting social engineering style attacks and phishing.