In an effort to help organizations better train their employees to be aware of and avoid certain types of cyberattacks, the National Institute of Standards and Technology (NIST) has announced the development of a new method it is referring to as the Phish Scale.
As its name would suggest, the Phish Scale focuses on phishing attacks, a common form of cybercrime in which hackers send emails that can appear to be from someone on a user’s contact list, and tempt them to click on a link which would then take them to a website that could allow dangerous malware to enter an organization’s computer network.
According to recent estimates by Cybersecurity Ventures in its recent 2020 Official Annual Cybercrime Report, the fallout from global cybercrime will cost organizations $6 trillion annually by 2021, representing a doubling of the $3 trillion cost in 2015.
Though the existence of a phishing training program is not uncommon for an organization, the Phish Scale differs in that it utilizes a rating system to determine the efficacy of the email content, giving Chief Information Security Officers (CISOs) a clearer understanding of more than just the number of times an email was or wasn’t clicked.
“The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves. “The tool can help explain why click rates are high or low.”
A five-point scale is used to rate various elements of the phishing attempt, and an overall score is calculated and then used by a phishing trainer to help rank the exercise into low, medium or high difficulty categories, giving CISOs more data to work with than simple click rates, which can have several causes and can give a false sense of security if they are analyzed on their own without a greater understanding of the difficulty of the phishing attempt.
Following years of research in an “operational” setting, the Phish Scale appears ready to provide immediate feedback to CISOs and organizations wishing to curtail what has become one of the most common forms of cybercrime in recent years.
“As soon as you put people into a laboratory setting, they know,” said Steves in a comment on how the Phish Scale was developed. “They’re outside of their regular context, their regular work setting, and their regular work responsibilities [and] that is artificial already.”
Since all of the data used in the Phish Scale study has come from NIST itself, next steps for the the project are to expand it and collect data from other organizations (including private enterprises), and to ensure it is able to adapt over time in order to keep up with the fast-paced landscape of cybercrime.