During this week’s blog series, we sat down with two of our NIST experts from the Visualization and Usability Group at NIST — Shanée Dawkins and Jody Jacobs — who discussed the importance of recognizing and reporting phishing. This blog wraps up our Cybersecurity Awareness Month 2023 blog series…but we of course plan to continue to share, collaborate, learn, and spread the word all year long.
1. This week’s Cybersecurity Awareness Month theme is ‘recognize and report phishing.’ How does your work/specialty area at NIST tie into this behavior?
We work in the Information Technology Lab, but our research focuses on users of technology. Our group’s purpose is to champion the human in information technology, and we also apply that to our phishing efforts. While other research programs focus on the technology needed to filter out phishing emails, we focus on people as the last line of defense if a phishing email slips through the filters (and their ability or inability to recognize the phish). We research the circumstances that make people more or less susceptible to clicking on a phishing email – whether that be the characteristics of the email itself or the context of the user receiving the email.
Ultimately, our goal is to equip organizations with the metrics they need to effectively train their employees to recognize and report phishing emails. Many organizations use embedded phishing awareness training programs to assess their phishing-related security risks. In these programs, organizations send simulated phishing emails to their employees to gauge the rate at which employees click or report the phish. However, our findings show that click rates – whether people click or don’t click on links and attachments – do not provide a complete picture to understanding staff behaviors. We created a metric, the NIST Phish Scale, to provide user context into clicking behaviors. The Phish Scale results in a human phishing detection difficulty metric that allows organizations to better tailor their phishing awareness training programs towards staff recognizing and reporting phishing more effectively.
2. How does recognizing and reporting phishing help people and/or businesses when it comes to cybersecurity? Why is it so important?
Phishing threats affect organizations of all sizes and sectors. Here are some stats – according to a recent survey by Proofpoint (source below), 34% of users did something in 2022 that put themselves or their organization at risk such as clicking on a malicious link. In the fourth quarter of 2022, Anti-Phishing Working Group (APWG) observed 1,350,037 total phishing attacks (source below). This was up slightly from the third quarter, when APWG recorded 1,270,883 total phishing attacks, which was a new record at the time and the worst quarter for phishing that APWG has ever observed. Business Email Compromise (BEC) still accounts for 75% of attacks and accounts for $2.7 Billion in losses, according to the FBI (source below).
Phishing emails are designed to deceive users and extract personal or work-related sensitive information from the email’s recipient (e.g., bank account information or usernames and passwords). Organizations use phishing training exercises to help employees defend against these types of phishing threats in a safe and controlled environment. The expectation is that employees will be better able to recognize and report phishing messages in the wild— reducing potential compromise of security and privacy for both the individual and their organization.
3. What is NIST currently doing in this area (or planning for the future)?
Our Human-Centered Cybersecurity Team continues to research human phishing susceptibility and the NIST Phish Scale. We are conducting studies into the characteristics of the emails that compel someone to click or report a phishing email, in addition to the personal characteristics of an email’s recipient that impact click and non-click decisions. Our goals are to have a better understanding of how humans assess and act on phishing emails, and to equip organizations with the tools they need to fight phishing based on this understanding.
To learn more about our research, you can check out our publications on the CSRC website, and view our recent presentations at the Federal Information Security Educators (FISSEA) 2023 Summer Forum and the RSA 2023 conference.
4. Why is cybersecurity important to you personally?
More than cybersecurity, it’s people who are important to us personally – it is imperative that we take measures to protect them and equip them with the cybersecurity knowledge, skills, and tools to protect themselves. We both have children who use technology more and more in school and socially. We also have aging relatives who are becoming increasingly vulnerable in the digital world (e.g., phishing, IoT, and privacy risks). We try to instill in them that while the internet is an amazing resource for socializing and research, it’s critically important to practice good cyber hygiene. Children need to make sure they don’t share their usernames and passwords for their various school accounts. Aging adults need guidance on which emails are legitimate and which emails require more scrutiny. We’ve had relatives almost fall for phishing attempts like emails requesting gift cards or asking for bank account information. Ultimately, the work we do is motivated by our desire for people to be protected from cybersecurity threats. For phishing threats, people can be a target via our work email, personal email, text messages, even phone calls. We want to help people recognize phishing threats so that they remain vigilant with their technologies.
5. What is your favorite thing (or best memory) about working at NIST?
Jody: My best memory of working at NIST was watching the Montgomery County Independence Day fireworks by the NIST main gate many years ago. Before the fireworks were moved to Bohrer Park, the Montgomery County Independence Day fireworks were launched from the Montgomery County Fairgrounds. My husband and I would go on to campus at dusk, get eaten alive by mosquitos, and gather with about 50 or so other NISTers to watch the fireworks. I wish the fireworks were still launched from the fairgrounds.
Shanée: I love working with the people at NIST! We all come from different backgrounds and have different experiences, but we all come together to help people and we love the work we do.