<aside> ✅ Use this framework to help standardize the processes for employees who progress beyond the highest level of your remedial accountability schedule.
</aside>
These guidelines help you evaluate employee behaviors and responses to phishing attacks, helping to identify their susceptibility to various levels of threat and their commitment to improving cybersecurity awareness and continuous learning.
Note: Classification types based on MITRE | Insider Threat Research https://insiderthreat.mitre.org/insider-types/
Evaluation
Employee likely causes infrequent harm falling victim to targeted attacks that use sophisticated insider knowledge.
Observation
Employee demonstrates a humble attitude towards continuous learning and understands the importance of improving their awareness and handling of phishing and data exposure risks.
Suggested Disciplinary Approach
Evaluation
Employee likely causes less than frequent harm by falling victim to attacks ranging in difficulty to identify.
Observation
Employee demonstrates a humble attitude towards continuous learning and understands the importance of improving their awareness and handling of phishing and data exposure risks.
Suggested Disciplinary Approach
Evaluation
Employee likely causes frequent harm by falling victim to attacks ranging in difficulty to identify.
Observation
Employee demonstrates a conflictual or lacking desire to improve phishing and data exposure awareness ability.
Suggested Disciplinary Approach
Evaluation
Employee purposely causes frequent harm by falling victim to attacks ranging in difficulty to identify.
Observation
Employee exhibits a defiant and intentional disregard for cybersecurity monitoring, governance, and security awareness expectations, actively challenging the necessity of these measures.
Employee suggests they have no intent of improving their security behavior understanding or literacy.
Suggested Disciplinary Approach
These guidelines are designed to assess the probability that an employee might fall victim to phishing attacks, thereby potentially leading to data exposure and related security risks.
Annual Phishing Test Data
Success Rate: 90%
Fail Rate: 10%
Employees in this category are generally proficient at recognizing phishing attempts but may occasionally fall victim to sophisticated attacks.
Attack Difficulty
Employee fails testing mostly considered to be of high sophistication and targeted nature with insider knowledge.
Observation
Employee verbally expresses a strong commitment to continuous learning and frequently asks questions to improve their awareness capability. They exhibit a positive and proactive demeanor towards security training.
Annual Phishing Test Data
Success Rate: 75%
Fail Rate: 25%
Employees in this category make occasional mistakes but are largely capable of identifying phishing attempts.
Their success rate shows they are effective in most cases but may miss some less obvious attacks.
Attack Difficulty
Employee fails tests of varying difficulty, ranging from moderately sophisticated to highly targeted attacks with insider knowledge.
Observation
Employee verbally acknowledges the importance of continuous learning and shows a willingness to improve their awareness capability. They have a generally positive demeanor towards security training.
Annual Phishing Test Data
Success Rate: 50%
Fail Rate: 50%
Employees in this category have a mixed record in recognizing phishing attempts. Their success rate reflects their inconsistency and lack of commitment to improving their security awareness.
Attack Difficulty
Employee fails testing ranging in difficulty, from simple to sophisticated.
Observation
Employee verbally expresses indifference or skepticism about the need for continuous learning and shows little interest in improving their awareness capability. Their demeanor may be dismissive or resistant to security training efforts.
Annual Phishing Test Data
Success Rate: Lower than 50%
Fail Rate: Higher than 50%
Employees in this category intentionally disregard security measures and challenge the need for them. Their low success rate reflects their lack of effort or desire to identify phishing attempts.
Attack Difficulty
Employee fails testing of any difficulty, including simple and complex attacks.
Observation
Employee verbally challenges the necessity of security measures and openly resists efforts to improve their awareness capability. Their demeanor is defiant and confrontational, showing no commitment to continuous learning.
This section provides practical tips to help ensure the successful implementation of this framework by improving employee attitudes towards security awareness and risk management.