Phishing simulations: let’s talk ethics

Cybercriminals have been utilising phishing emails to lure their victims into revealing sensitive information or deploying malicious software for over 30 years. Interventions to help mitigate these attacks have grown in number with phishing simulations, the use of deceptive emails to educate and inform on phishing risk, becoming a particularly popular mode of control. However, the sending of an email that mimics true phishing does amount to deception with employees often left with feelings of anger and resentment post simulation [1], [2].

However, the need for phishing simulations is clear. They provide in-the-wild education and intelligence that employees can experience in their natural environment without research concerns around priming. Something very difficult to replicate without some form of deception being applied. So, the important question is — How do organisations and service providers deploy phishing simulations centred around ethical principles, helping protect employees and alleviating some of the negative perceptions in relation to them.

What do we mean by ethics?

To be ethical requires avoiding activities that are not morally good or correct and can cause harm to people such as psychological distress. The Belmont Report, created to protect human subjects in research, presents 3 ethical principles:

1. Always respect human autonomy and their capacity for self-determination

2. Always secure the wellbeing of participants ensuring benefits outweigh costs

3. Always ensure justice, with both associated risks and benefits fairly spread

Phishing simulations are not only an activity that should consider ethical principles, but a form of research that MUST apply them. Ethical principles drive the ideal behaviour, the way a good and reasonable human should act, the way things ‘ought to be’ [3]. Too often cybersecurity interventions are focused on protecting the organisation, with less attention applied to protecting the people within it.

How do we centre phishing simulations around ethics?

Whilst there are experts in the field of ethics who may have a more comprehensive list of how to deploy ethical simulations, psychological research in relation to this topic is relatively thin. However, that should not be a reason for ethics to not be considered and best practice not discussed. So, first let’s consider the 3 ethical principles laid out by the Belmont Report and how they might relate to phishing simulations as an intervention.

1. Employee autonomy — Employees have the right to not take part in research, and to not be actively deceived. However, people do not mind deception and restrictions to autonomy if they understand its purpose. Communicate openly with employees around the aims of phishing simulations and their important role within it.

2. Employee wellbeing — Employees should not feel victimised as a result of phishing simulations and should not suffer psychological distress when clicking on a malicious link. Simulations must provide content that explains why detecting phishing emails is so difficult and supply education on how to improve detection moving forward.

3. Employee justice — All employees should be allowed to benefit from phishing simulations and although those at more risk may require more targeted intervention, groups of employees should not experience phishing simulations at a higher rate simply for ‘the sake of it’.

How do we begin reviewing the principles of ethics in our simulations?

Phishing simulations are a multi-step process with a need to ensure ethical standards are considered at each of these steps. So, let’s consider the principles of ethics at the 3 main stages of a simulation — pre-deployment, deployment, and post-deployment [4], [2]:

1. Pre-deployment:

• Template content — Phishing simulations need to employ some form of coercion or else they would not be truly replicating real-world experiences however the content of a template must not cause employees psychological harm e.g., sending an inappropriate health-related update. The templates must also reflect current trends, without this, employees are not truly benefiting from the process this includes social engineering strategies used such as persuasion techniques.
• Consent — Gaining pre-informed consent from employees perhaps during cybersecurity training is a must. Whilst gaining consent immediately prior to a phishing simulation would prime employees, gaining consent as you communicate their need to employees is important.
• Confidentiality — Employees should also be assured that any members of the awareness team analysing intelligence post-deployment consider its data highly confidential.

2. Deployment:

• Protecting employees — Ensuring that phishing simulations are in place to protect employees, with embedded education providing them with the coping strategies they require to shield their work and personal data from the hands of cybercriminals.
• Employee well-being — Employee minds should be set at ease at the earliest opportunity during a simulation. Made aware of next steps, and their important role in helping fight against phishing attacks.

3. Post-deployment:

• Consent — Employees should be given the option to withdrawal from the process if they wish and should be provided with a number to call to discuss this option should they feel the need.
• Data protection — If employee credentials have been captured, they must be informed that those credentials are not being stored and that no-one has been able to witness their content.
• Debrief — The purpose of the deception must be fully explained to alleviate any upset, with an option for employees to feedback and ask questions should they so wish.

What is however important to note is that employees will experience true phishing emails regularly, and that any distress caused by a phishing simulation will likely be far less then that experienced by a genuine attack [4]. By also providing education around coping strategies, the risks will be far lower than that experienced in the real world.

Key take homes for creating ethical phishing simulations

Organisations and service providers must consider employee autonomy, well-being and justice throughout the process. Not just during deployment but also when creating a simulation campaign and even after a simulation has taken place. Deception is a requirement in order to validate simulation results, but employees should be made aware of this deception at the earliest possible opportunity thereafter with clear guidance on the value of their participation and the coping strategies required to improve phishing detection moving forward.

AUTONOMY — WELL-BEING — JUSTICE. If employees understand the importance of their role in cybersecurity, they’ll happily choose to help.

References

[1] Rizzoni, F., Magalini, S., Casaroli, A., Mari, P., Dixon, M., & Coventry, L. (2022). Phishing simulation exercise in a large hospital: A case study. Digital Health, 8, 20552076221081716.

[2] Finn, P., & Jakobsson, M. (2007). Designing ethical phishing experiments. IEEE Techn ology and Society Magazine, 26(1), 46–58.

[3] Bonhoeffer, D. (2012). Ethics. Simon and Schuster.

[4] Salah El-Din, R. (2012). To deceive or not to deceive! Ethical questions in phishing research.