Academic journal article International Management Review

Enhancing Cybersecurity Awareness Training: A Comprehensive Phishing Exercise Approach

Academic journal article International Management Review

Enhancing Cybersecurity Awareness Training: A Comprehensive Phishing Exercise Approach

Article excerpt

Introduction

Malicious actors successfully breach cybersecurity by tricking a person into providing the malicious actor unauthorized access to information, services and information technology infrastructure. By focusing on people and using techniques of social engineering, malicious actors can bypass the sophisticated and expensive cybersecurity technology implemented by businesses. The most widely used technique is sending fraudulent email to users that compel the user to take actions that lead to a compromise in cybersecurity. Generally, this technique is known as "phishing."

At 47 years old, email continues to play an essential role in online communications (Swatman, 2015). There were 3.7 billion email users in 2017 and will grow to 4.1 billion users by the year 2021 (The Radicati Group, Inc. [Radicati], 2017) despite the increased availability of additional collaboration and communication options, including chat, messaging, conferencing and workflow-based messaging (e.g., Slack1, Microsoft Teams2, Google Hangouts3). From a malicious actor's perspective, this user base is an attractive target that is relatively inexpensive to attack and easy to obfuscate the malicious actor's true identity. Although these new services have replaced, and improved workflows previously conducted by email, they have not replaced email as a means of reliable communication. To use many of these services, an email account is required as one's primary identity and means of communication with the service provider. Important notices about the service, billing statements, authentication verifications, and other relevant information are still transmitted to users by email. Therefore, email services will continue to be an authoritative means of business communications for many years to come (Radicati, 2017).

Email Remains Central to Our Digital Lives

Modern information technology (IT) applications and services are built to be accessed from anywhere and from nearly any platform (e.g., desktop, mobile, web) with users' email central to administration, including managing a user's authentication credentials. Application developers routinely provide support for the major operating systems (Microsoft Windows, Apple macOS, Apple iOS, Google Android, Google Chrome and Linux) through native applications and web browser applications to reach as many users as possible to enable access from anywhere. For example, one can access the Gmail email service or Salesforce web application from nearly anywhere in the world and from any device.4

In this modern world where services can be bought and sold online without face-to-face or voice communications, credentials to those services are initially provisioned and managed through email. Signing up for a service online usually requires an email account as the primary username. If you forget your login or password to that service and need it to reset, email is usually the primary means of initiating a password reset. Also, critical notifications about the service, changes in the service agreement and other contractually binding agreements regarding digital services are commonly delivered and agreed to via email. Email remains a critical service that users (especially business users) regularly use and trust to conduct official business activity because:

* Most modern IT services exclusively rely on email to officially communicate with customers;

* Credential provisioning and management usually requires an email account as part of the process;

* Email is the most convenient method of aggregating communications with multiple services into a single identity;

* The barriers and overall cost to send and receive emails is very low, if not free; and

* An email address is perceived synonymously with a person's online identity.

These features of email that make them essential to businesses are the same reasons email is an attractive attack vector and target for malicious actors operating on the Internet. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.