Thu | Sep 24, 2020 | 7:38 AM PDT

The National Institute of Standards and Technology (NIST) recently developed a new method that will help prevent organizations and their employees from falling victim to phishing cyberattacks, which it calls the Phish Scale.

A tool like the Phish Scale could be very useful for organizations in the fight against phishing. Research shows that more than 90% of cyberattacks start with a phish. The costs are adding up.

In a report from Cybersecurity Ventures, it's estimated that by 2021, global cybercrime damages will cost $6 trillion annually, compared to $3 trillion in 2015.

The Phish Scale method

Cybersecurity awareness training programs have grown in popularity as cybercrime rates have increased in recent years, and many organizations require their employees to go through this training.

Many of these programs focus on phishing, as it is one of the most common attack vectors. In order for these programs to be effective, the organization must consider the relative difficulty of training messages. 

In a section from the Journal of Cybersecurity, this is discussed:

"Understanding the detection difficulty helps phishing awareness training implementors in two primary ways: (i) by providing context regarding training message click and reporting rates for a target audience, and (ii) by providing a way to characterize actual phishing threats so the training implementor can reduce the organization's security risk by tailoring training to the types of threats their organization is facing."

This is why NIST developed the Phish Scale. Now CISOs and Security Awareness Managers have additional metrics that reveal if their programs are effective and help categorize actual threats.

How was the Phish Scale developed?

There were a multitude of factors to consider when developing and implementing the Phish Scale. NIST goes into detail about how the scale came to be.

"To develop our Phish Scale, we began by considering the primary elements that CISOs and training implementors use when selecting and customizing phishing training exercises. These elements are scenario premise and message content. The scenario premise may pertain to a relatively new threat or an older threat that remains effective for a particular target audience. The message content is typically customizable by the trainer and contains the cues that trainees might use to detect the training phish. For this exploratory effort, we root the Phish Scale in these two primary elements: the cues contained in the message and the premise alignment for the target audience.

Other factors such as personality, curiosity, distractedness, concern for security, and the like certainly affect click rates, and ultimately we intend to consider how to account for additional factors such as these. However, for now, this effort starts with message cues and premise alignment as these elements undoubtedly play crucial roles in phishing detection by humans and, importantly, they can be categorized by training implementors for a given target audience. For this initial effort at characterizing detection difficulty, the Phish Scale components are:

    1. A rating system for observable characteristics of the phishing email itself, such as the number of cues, nature of the cues, repetition of cues, and so on.

    2. A rating system for alignment of the phishing email premise with respect to a target audience."

The importance of phishing difficulty detection

A concern that many CISOs have when conducting phishing awareness programs is that click rates are higher than expected. They wonder why click rates are variable despite spending a good amount of money and time on training. 

When click rates are high or variable, the training is perceived as ineffective, which NIST says is often incorrect. While considering these click rates, it is also important to include reporting rates and reporting times, as well. All of these metrics must be considered together, as early reporting can greatly improve mitigation efforts.

One main goal of the development of the Phish Scale is to show security teams that high or variable click rates can indicate that employees are being subject to new, difficult, and contextually relevant phishing attempts. These click rates must also be compared with a deeper understanding of the phishing attacks themselves. 

The scale uses operational data to assess the level of difficulty for people in a target population. Will they be able to detect that a certain message is a phishing attack?

Phish Scale still in early stages
It is important to note that all of the data for Phish Scale came straight from NIST. For the scale to become a truly powerful tool, it must collect data from a variety of organizations to have optimum performance over time and in different settings.

In the future, it will also be important to understand the impact that new technological email security measures will have on phishing. Government agencies are implementing protocols such as Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Domain Keys Identified Mail (DKIM). It is unknown how these changes will impact phishing. There will be technological improvements that may make some phishing attacks ineffective, while others will evolve into new threats in response to this.  

For more information on the Phish Scale, check out the NIST research article.