The first two situations seem adorably quaint today, but it’s still easy to find companies that buy their phishing simulators and training from different providers—but perhaps not for long. Most companies got involved in security awareness training before they got involved with phishing simulation. The reason for the early push was because regulatory: companies were often told that they must have all employees (or at least all employees with access) trained up to a minimum level of cybersecurity knowledge, and they must be retrained frequently, often every year. There was, and still is, a lot of science behind that recommendation. Polls and surveys then and now continue to show that people are the last and often least line of defense in any organization. An example of this was surfaced in Black Hat’s 2015 official survey (Figure 1).
Figure 1: Top five results from the official survey conducted with IT security attendees of the 2015 Black Hat conference. The results of the survey noted that “sophisticated attacks targeted directly at the organization,” “phishing…social engineering,” and “users who fail to follow security policy” were Black Hat attendees’ top three concerns. All three of those concerns are, of course, addressed by safe behavior, and safe behavior can result only from training and conditioning. Security awareness training certainly addresses the “training” component, but the direction of the industry 10 years ago was toward cost-containment, which created programs full of canned videos half-ignored by students. Recent advances in gamification and interactivity have improved the quality of computer-based training (CBT) to the point where good CBTs now use a “show and reinforce” model that combines a few minutes of video with an exercise that challenges learners’ ability to use the material they just learned. While those CBT advances were a boon for interactivity and engagement in most domains, IT and security experts found that they were still not enough to stop users from clicking on dangerous links in their email. Suddenly a new industry was born: A new crop of anti-phishing products would send harmless but realistic-looking phishing emails to employees, and automatically shame, educate, and report on them if they clicked any links. Together with training about what phishing was and why it was dangerous, these new tools finally resulting in the behavior change that IT, security, and risk management agreed was necessary: it got users to finally look at things before they clicked on them, and companies were invested with malware, hacked, and embarrassed at a much lower rate than before. Perhaps just as important, the new phishing simulators also reported on something that few other IT tools had ever done out of the box: They reported on their own effectiveness, and thus helped the IT managers and security specialists who purchased them demonstrate a positive return on their investment (ROI). An example demonstrates how this was done. Suppose a large company deployed an anti-phishing simulator and set up a campaign to target a division in a pilot. During the initial campaign run, the simulator found that 60% of targeted users would click on phishing attacks. Over subsequent campaign runs, the simulator automatically trained users who clicked on phishing attacks, and the overall number of targeted users who clicked on phishing links dropped to 30% by the next renewal of the phishing simulator software or service. Since the company enjoyed a 50% (60%/30%) improvement in its phishing susceptibility, and it used a number of industry sources to estimate its initial expected loss at $338,000 per year, the company could show that it had reduced its risk by $169,000 per year. Since this amount was certainly more than the cost of the anti-phishing software (let’s assume $50,000 per year), the company could show a large and tangible return on its investment over that period (238%). The ability to calculate a tangible ROI certainly put phishing simulators at the head of the IT security funding pack when annual budgets rolled around. In 2014 Gartner published a “Magic Quadrant” that drew some interesting lines around both the security awareness and phishing simulation industries. In its October 2014 “Magic Quadrant for Security Awareness Computer-Based Training Vendors,” Gartner essentially told both groups that they are selling different solutions—training vs. simulation—to the same buyers to fix the same problems. It then lauded vendors that showed a willingness to partner (often a precursor to merging) with vendors that provided the opposite service, and bashed any vendors that hadn’t got on the “highly interactive training” bandwagon yet (sorry SANS). The 2014 Gartner report cleared the way for the industry to start consolidating and combining interactive training and simulation packages into “security education” platforms. In 2015, one example of this was Wombat’s acquisition of ThreatSim, followed by the release of their “Security Education Platform” product. Other vendors responded in different ways; among them was the InfoSec Institute, which redeveloped its security awareness training with an average of a half-dozen exercises per module, built and then rebuilt a commercial phishing simulator, and then launched the entire education platform as “SecurityIQ” (Figure 2).
Figure 2: Screenshot from InfoSec Institute’s SecurityIQ, a security education platform that includes interactive security awareness training with a phishing simulator. Today, you would be hard-pressed to find either security awareness or phishing simulation vendors thriving on their own. They have either, like the InfoSec Institute, developed the comprehensive “security education platform” laid out by Gartner (and its large clients) or they have enmeshed themselves in a web of partnerships that allows them to sell a complete package from two different vendors. Likewise, today’s buyers, knowing that convergence is already here, look for features that deliver a smooth and reliable experience, such as a single interface to import, manage, and report on all their users. They also seek out “low-touch” administration so they can spend more time planning their campaigns and less time worrying about the administrative controls of multiple tools.