Back to Blog
26 Feb 2021

How the NIST Phish Scale can help improve your security training

We previously discussed the NIST Cyber Security Framework and how businesses can use the set of best practices and guidelines to improve their approach to cyber-attacks. The framework consists of multiple factors which are combined together to provide a strategic view of risk management such as:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Last year, 22% of all data breaches involved phishing attacks. As a measure to help businesses improve their phishing training and protect their employee, NIST developed a method coined ‘The Phish Scale’.


What is the NIST Phish Scale?

Many IT and security professionals plan security awareness programs which include phishing simulators designed to execute legitimate looking phishing campaigns. It’s a great way to enforce behavioural changes in their employees by teaching them to be more vigilant. They then have the ability to analyse the click rates and measure the effectiveness of their training.

Although this method effective, it simply doesn’t have the means to provide further insight into why certain individuals within a business are getting lured into scams. It’s all very well analysing clicks and seeing who’s fallen for the ‘trap’, but you also need to know the ‘why’ and the thinking behind their actions in order to address any blind spots effectively.

The Phish Scale was developed to provide IT and security professionals with a more granular understanding of whether phishing attempts are harder or easier for targets to identify. In other words, the Phish Scale has been proposed for businesses to rate the difficulty of their phishing attacks and aid in explaining click rates.

According to NIST’s research, many security leaders have voiced concern over their training and awareness programs when click rates are too high. This is particularly when leaders have been running their programs regularly, for a long period of time, and the expectations are progressive lower click rates to reflect the effectiveness of training

But, it’s important to note that lower click rates simply doesn’t reflect just how effectiveness the training is. Instead, lower lick rates could mean the phishing emails were:

  • To easy
  • Not contextually relevant for majority of staff
  • Duplicated or similar to previous attempts

This is why NIST have developed the Phish Scale – to give leaders a more comprehensive and metric informed approach to understand phishing attacks and improve their training going forward.


How can you use the Phish Scale to improve your phishing training?

The Phish scale uses a rating system based on the email content. The method uses five elements which are rated on a 5-point scale to reflects the scenario of the email. The scenario of the email is then analysed according to your employee’s job role and any recent events.

Research shows that factors such as personality, curiosity and distraction is likely to affect click rates. But most importantly, the Phish Scale takes into account of two main elements: email cues and user context. Together these components play important factors in the difficulty of phishing detections.

You can then use this information to get the overall score to analyse the data and rank the phishing exercise as low, medium or high in difficulty.


1) Email cues

The email cues essentially evaluates observable signs which can determine if an email is legitimate. Some common email cues include:

  • Spelling mistakes
  • Grammar errors
  • The uses of personal email addresses opposed to work emails
  • Requests for any sensitive information.

The idea behind this is to give your users hints and any indicators which prompts them to ask themselves, is this legitimate or is it an ‘fishy’ email?

Essentially, multiple cue’s within an email should prompt users to recognise a phishing attempt. But if an email is well articulated, and doesn’t include any sense of urgency, the chances are that a user will be less vigilant and alarmed.


2) User context

User context is extremely important when it comes down to evaluating your employees thinking. Take this as an example, if your employee has no invoicing responsibilities at work, but the email contains information about an unpaid invoice, they’re more likely to be suspicious about what’s being sent to them. But if the email was correctly aligned with their job role, and in reality they do have invoicing responsibilities within your business, they’re highly likely to fall for the trap!

So, the more relevant the email context is, the more challenging it becomes to identify a phishing email.


What further measures can you take to protect your business against phishing attacks?

Keeping your employees well trained with up to date information is one measure, but there are other steps you can take. So how can you not only prevent phishing attacks, but also detect them from early on and respond quickly? The simple answer is an effective Endpoint Detection and Response (EDR) platform that works to detect, contain and eradicate phishing attacks along with various other cyber threats.

EDR is an extension of traditional endpoint security which focuses more on greater endpoint visibility and works to gain faster response and remediation times. Incorporating a service like Securyx into your cyber security strategy will mean your business will be able to benefit from immediate threat identifications and layers of protection needed to combat phishing attacks. Not only can this service protect your business and employees from phishing attacks, but it can also protect against the growing threats across the landscape.


Contact us for more information on how you can use the Phish Scale to improve your security training. Or if you’re thinking about investing in a secure and robust service like Securyx to keep your business protected, get in touch with our cyber security experts.

By OryxAlign