Forget security training, it's never going to solve Layer 8 (aka people)
Human curiosity will always trump anti-phishing schemes
Black Hat Research by German academics has shown there's very little that can be done to prevent people spreading malware by clicking on dodgy links in messages, particularly where Facebook is involved.
In a presentation at Black Hat 2016 in Las Vegas today, Zinaida Benenson, leader of the Human Factors in Security and Privacy Group at the University of Erlangen-Nuremberg, detailed how students were recruited for a phishing test. It showed that OSI Layer 8 of the Open System Interconnection model, the human being, is impossible to fix.
The testers were sent an email or Facebook message from an unknown person claiming to show pictures from a New Year's Eve party and asking the recipient not to share the images. 25 per cent of testees clicked on the email link and 43.5 per cent did the same for the Facebook message.
To further complicate matters, the researchers found that people lied about their actions. While a quarter of the people clicked in the phishing email, only 15.5 per cent admitted doing so, and of the Facebook testees, only 18 per cent reported clicking.
When questioned, the overwhelming reason for clicking on the link was curiosity, and Benenson said there was very little that could be done about it. She described the hyper-sensitive security mindset that questions every email as "James Bond mode," and said it was both unrealistic and, ultimately, unhealthy to live like that.
Curiously, 16 per cent of clickers reported that they knew the sender, so figured it was safe. Another 5 per cent said they were confident their browser would protect them from malware attacks.
While instructing staff to go into James Bond mode is a possibility, Benenson said it would never work all the time. She cited numerous examples of where she had clicked on message links without properly ascertaining the source.
But if you are trying to train staff not to click on suspect links, she explained that doing so could cause more harm than good. Not only does such training mean that some legitimate emails go unanswered and IT staff have to deal with huge numbers of false positives, but it also destroys the staff's trust in the company.
"Digital signing of messages will help, but non-experts often misinterpret digital signatures," Benenson said.
"The most important thing companies can do is to stop sending legitimate emails that look phishy. Also, expect mistakes – people will make them and there is nothing we can do about it." ®