Organizations use phishing training exercises to help employees defend against the phishing threats that get through automatic email filters, reducing potential compromise of information security for both the individual and their organization. These exercises use fake and realistic phishing emails to test employees' ability to detect the phish, resulting in click rates which the organization can then use to address and inform their cybersecurity training programs. However, click rates alone are unable to provide a holistic picture of why employees do or do not fall for phish emails. To this end, the National Institute of Standards and Technology (NIST) created the Phish Scale methodology for determining how difficult a phishing email is to detect (Greene et. al. 2019). Recent research on the Phish Scale has focused on improving the robustness of the method. This paper presents initial results of the ongoing developments of the Phish Scale, including work towards the repeatability and validity of the Phish Scale using operational phishing training exercise data. Also highlighted are the ongoing efforts to minimize the ambiguities and subjectivity of the Phish Scale, as well as the design of a study aimed at gauging the usability of the scale via testing with phishing exercise training implementers.
, Jacobs, J.
and Dawkins, S.
Scaling the Phish: Advancing the NIST Phish Scale, HCI International 2021 - Posters, Washington, DC, US, [online], https://doi.org/10.1007/978-3-030-78642-7_52, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932167
(Accessed November 30, 2021)