I occasionally get human risk management (HRM) administrators asking me to help them with ideas of “contests” to better educate their end-users.
They have usually done the traditional recommendations, which means at least monthly-to-weekly security awareness training (SAT) and simulated phishing. They are working to educate their end-users about social engineering and phishing attacks as best as they can without being overly annoying.
This is a very good thing, as 70% - 90% of successful data breaches involve social engineering. Any SAT and simulated phishing you can do significantly reduces cybersecurity risk due to humans . SAT isn’t the only way to reduce HRM, but it is a significant part.
We have the data to prove it:
- Effective Security Awareness Training Really Does Reduce Breaches
- Data Confirms Value of Security Awareness Training and Simulated Phishing
We also think it’s a great idea to have annual HRM “summits” where the whole company is invited to learn about HRM, social engineering and phishing. These are usually opened by a speech by the CEO or some other C-level officer. It usually has food, drink, contests fun and games.
Another great idea to reduce human risk is to create a “champion’s program.” This is where you enlist a group of selected, more cyber-aware, co-workers to create a team of people who go around helping the rest of the company lower human risk. You can use them to spread particular messages and also to bring feedback from end-users about needed topics and questions that need to be better answered. Some of the best teaching comes from people’s own co-workers who are working right beside them.
We have talked about champion programs before, including here:
- The Need for Security Champions as Part of Your Security Culture
- Purina’s Champions Program Is the Best I Have Seen
Most Common Type of HRM Contest
Many HRM programs use simulated phishing programs as a sort of contest, where users are sent simulated phishing messages and then they are “graded” on how many they do or don’t spot as a phishing email. The hope (and measurement) is that end-users spot the phishing attempt, don’t negatively interact with it (e.g., click on links, provide logon credentials, etc.), and report it to the appropriate place.
People and teams having high success rates “win” the contest and are rewarded in some way (e.g., public acknowledgement, certificates, pizza parties, small prizes and gifts, cash, etc.). This is a very traditional HRM “contest."
Make a Phish Contest
Another more advanced contest example is a “Make a Phish Contest”. With this contest, people are asked to make up and submit simulated social engineering and phishing content. Select a trusted team to judge the contest and pick winners.
This is a great idea because it forces users to think about what makes a good social engineering attempt or phishing message. It brings out all the creative thinkers and people who have to really know what makes a good phish and how to make users susceptible to its message.
For example, most phishing messages contain messages that give a false sense of urgency. Most contain look-alike URL links that really don’t point to the legitimate site. They may include real brand logos or ones that look similar but aren’t exactly legitimate. They can use language that says stuff like, “Scanned as SAFE by yada, yada antivirus service!” and things like that. Ask your end-users to create the best, most realistic messages they can.
The simulated phishes can be submitted however you like (i.e., via email, printed up, or to a common website where all participants can view). Whatever you feel comfortable with.
Potentially have several different competition categories: email phishes, fake SMS messages (i.e., smishing), fake voice calls (e.g., vishing), most humorous, most tricky, most realistic, etc.
Then celebrate the winners. Show their contributions. Share why their contributions rose to the cream of the crop. In the process, you’ll be “tricking” your users into learning and caring more about phishing and social engineering.
If you want to go advanced, advanced, add a category that accepts simulated deepfake attacks. That’s where you will likely get some pretty creative and scary attacks.
Note: Make sure to set the boundaries of what is and isn’t acceptable. For example, no one is allowed to actually send their creation as a real message to anyone unsuspecting, etc. Some contests allow the participants to use any publicly available information, while others forbid the use of anyone’s personal information, even if publicly available, etc. The idea is to make sure no one hurts anyone else’s feelings or does something that would undermine the spirit of the contest.
You want this contest to be fun, educational, and to set the creative juices flowing. Along the way, everyone will learn something that will end up reducing human risk.
One of the best ways to learn something is to teach it to others, and that’s what this advanced phishing contest does.
So, if you’re looking for a fresh, exciting way to update your HRM program, a new contest may be the way!
