While conducting research on phishing, Norman Sadeh and his colleagues at Carnegie Mellon University noticed something surprising. A significant percentage of their volunteers, tech-savvy university people, fell for their test attacks.
"These people are very smart, they know what a phishing email is. The fact is they don't apply that knowledge in context," explained Sadeh, professor of computer science.
The researchers, including fellow CMU faculty members Lorrie Cranor and Jason Hong, knew that traditional security measures weren't enough. They knew that training end-users was critical. Yet, when it came to cyber security, industry seemed to have given up on the idea of being able to successfully train people. Some experts would compare it to trying to nail Jell-O to a wall … It just would not stick.
"The first step is to get people to pay attention to your training," said Sadeh of their solution. "We've found that the most effective way is to send them fake phishing emails — right in their inbox."