nist phishing scale

NIST, Ransomware, and the Phish Scale

We’re fast approaching the home stretch of 2020 and bad actors have shown no signs of slowing down their attacks. Of course, we wouldn’t expect them to. Phishing attacks are still the most common means of initiating an attack, and phishing is more effective when your targets are distracted, scared, or trying to adapt to a new way of working.

MSP Overwatch™ is of course devoted to lowering the number of successful attacks, both against enterprises and the IT providers who serve them. Our board worked very closely with the National Institute of Standards and Technology (NIST) framework to develop our software platform and certification program, and now NIST is helping to further our shared cause with the release of the Phish Scale.

Created by NIST researchers using real data, this scale allows IT security professionals to better understand phishing click rates, and ultimately improve training so their users are better prepared against actual phishing.

This system is more complex than the current standard in use by most phishing training programs: monitoring click-through rates (CTRs). While CTRs shed light on how many people clicked the test email, these numbers only tell part of the story.

The researchers behind the Phish Scale wanted to provide more information than just how many people clicked on a suspicious link — important details like why they clicked would also be good to know.

Toward that end, the Phish Scale uses a complex system of ratings and tailored content to provide more answers. Test emails are specifically designed for the target audience and carry various levels and types of promised value. Each exercise is ranked as low, medium or high difficulty based on how compelling and how cleverly disguised the phishing email is.

The obvious benefit here is that IT security professionals can make sure their phishing training is actually simulating challenging emails. If you’re only testing using obvious fakes, the value of the training is severely limited. After all, hackers are only getting better at deception.

The team behind this tool plans to expand their dataset with the help of other organizations, including those in the private sector. Field testing of the Phish Scale is imperative to ensure that it performs well in different scenarios. As with anything related to cybersecurity, we imagine that Phish Scale will need to adapt regularly to changing threats and new tactics.

It’s certainly exciting to see more effort being made to understand, identify, and mitigate ransomware attacks. Cyberdefense is a team sport, and the more great players we can put on the field, the harder it will be for bad actors to score.

More information about the technical foundations of the Phish Scale can be found in this research article in the Journal of Cybersecurity. 

Leave a Comment

Your email address will not be published. Required fields are marked *