Every day, staff in the NIST Information Technology Laboratory’s Visualization and Usability Group (VUG) are conducting studies and publishing findings about cybersecurity usability. A usable cybersecurity technology is one that an individual can effectively use to meet their goals while maintaining cybersecurity. The NIST research provides actionable guidance so that policymakers, system engineers, and security professionals can make better decisions to keep their organizations protected against cybersecurity attacks, scams, and other malicious events. That’s why we are starting a new Cybersecurity Insights blog series, titled, Staff Spotlight: NIST Usable Cybersecurity. Our first blog in the series highlights the recent research efforts of Kristen Greene, Ph.D., a cognitive scientist in VUG who specializes in phishing scams.
With the challenging times we find ourselves in, we asked Dr. Greene to share information about the NIST Phish Scale, a helpful tool she helped develop at NIST that can assist organizations in protecting their employees against phishing scams.
I have a master’s degree and Ph.D. in Cognitive Psychology, specializing in Human-Computer interaction. I first started in voting usability research, which included driving a hydraulic lift truck out to the middle of Texas to pick up 600-pound lever voting machines in an effort to test the usability between the old machines and the newer electronic voting machines and find out what errors people make when voting. That led me to come to NIST to work on the voting project here several years ago, and the opportunity to move into usable security research became available. I’ve now been at NIST 9 years and worked primarily in phishing research.
We expect that malicious actors will deploy phishing attacks against many Americans who are now teleworking because of the social distancing requirements from the coronavirus. Malicious actors pretend to be from your bank, a non-profit, or government agency, and it sounds legitimate because you have an account at that bank or have given to that non-profit before. It matches your world view and user context, making you more likely to click the link and fall victim to the scam. For instance, scammers are pretending to be from organizations such as the Department of Health and Human Services, World Health Organization, or Red Cross. We all need to be hyper vigilant and question every email in this challenging time.
Because it’s so easy to craft phishing emails that can look like they came from your company or a government agency, right now is the time for many organizations’ cybersecurity professionals to be reaching out to their employees to inform them of what to look for regarding phishing emails that may come to their work email, and to ensure that the person, and organization, are protected against being scammed or hacked.
Researching phishing is incredibly important because phish attacks affect nearly every single American that uses email, websites, mobile phone texting, and voicemail. As attackers and scammers become more and more sophisticated, our firewalls, filters, and tools serve as an arms race — attackers get better weapons, defenders need better armor.
Organizations are trying to prepare and engage their employees for these attacks by sending out fake phishing emails and seeing who clicks, and then tracking the click rates. The issue is that some of these companies impose punitive measures on their employees for multiple clicks on fake phishing emails. We at NIST are trying to encourage these organizations to focus less on punishing employees and more on educating them to better understand what a phishing email is, and to report that email to their respective IT security team.
Based off NIST research, we developed the NIST Phish Scale – which allows Chief Information Security Officers (CISOs) and phishing training implementers to more easily rate the difficulty of their phishing exercises and help explain associated click rates. The scale is based on past research in phishing cues and user context (how relatable the phishing email is to the user) and can serve as a tool to help frame data sharing on phishing exercise click rates across sectors. We are planning to continue to gather data from more organizations and conduct tests with wider data sets in the future.
I have met so many interesting and smart people doing fascinating research at NIST. It’s been great to be part of so many research projects that have real-world application and solve real-world problems. In the academic space, it can sometimes be harder to make that real-world connection that NIST allows. I also really love the NIST softball and tennis teams!
Phishing really does affect anyone and everyone with an email account (or phone number), and that includes election officials and others in the voting space, as well as public safety agencies all interacting with the public, especially as they have email addresses (and phone numbers), and all are targets. Phishing, like so many other usable security topics, really does apply to all the sectors. There have already been notable instances of cities and agencies being brought down by ransomware, so that stresses the importance of educating users on how to back up their data and test their backups, in case of ransomware.
The federal government has several websites devoted to helping organizations and individuals better understand the dangers of phishing scams: