Improving Phishing Awareness in the United States Department of Defense

摘要

Phishing emails are rapidly increasing in sophistication, evolving from poorly crafted attempts to entice a recipient to click, into legitimate looking emails and attachments. In response, email providers have to improve their detection technology by adding new rules to their firewalls and filters to block incoming spam and phishing emails. To overcome technical measures, attackers modify the content of their phishing emails and the source email address. In this cat and mouse game, network defenders rely on the user to report new threats, and the users depend on phishing awareness training to help them identify malicious emails. For a large organization like the United States DoD (DoD) which boasts a workforce of 3.2 million employees, it is difficult to properly train employees to identify and report malicious emails. Like other organizations the DoD requires its employees to complete phishing awareness training, however the effectiveness of this training is widely disputed. Phishing prevention can be broken into three main components: automated filters and firewalls, automated warning messages, and behavioral training. This paper analyzes existing United States DoD phishing awareness behavioral training and proposes 3 principles of an improved behavioral training model. This paper will detail how focused training objectives, a DoD content-sharing platform and a realistic delivery method can be combined to offer an effective and sustainable phishing awareness campaign.