Fascinating question! Phishing experiments that simulate real-world conditions can provide cybersecurity experts and organizations with valuable knowledge they can use to develop countermeasures to prevent employees from being victimized by phishing attacks. However, these experiments may infringe on consent requirements and involve deception. Therefore, it is vitally important that ethical and legal matters are carefully considered.
David B. Resnik, JD, Ph.D., in an article titled Ethics and Phishing Experiments, contends that phishing testing can be conducted under the appropriate conditions. He outlines three different approaches:
- Surveys or interviews with individuals concerning their experiences with such attacks. Investigators, in this approach, can analyze responses to try and understand what types of phishing emails have been received and how recipients responded. This process has limitations because it relies on the subject’s memory and does not involve any experimental behavior manipulation.
- Testing participants’ ability to distinguish between phishing emails and legitimate inquiries under controlled environments. These studies can provide valuable information about participants’ "phishing IQ," however, the lack of experimentally - manipulative behavior restricts the investigator’s efforts.
- Conducting experiments that mimic actual phishing attacks. Investigators are provided with employee email addresses for the research. Recipients would not easily ascertain whether they were receiving actual phishing emails or messages concocted by investigators. Recipients would be instructed to submit personal or financial information to a website linked to the message. The test website would be secure and private, data beyond the sender’s email would not be stored to protect privacy and confidentiality.
The first two methodologies, according to Resnik, do not raise any significant ethical issues. Resnik asserts that the third approach poses substantial ethical challenges due to questions surrounding consent and the practice of deception.
Resnick concludes that phishing susceptibility testing is valuable. He reminds us that conducting experiments mimicking actual phishing attacks can be performed ethically when:
- Risks are minimized, and confidentiality is protected.
- Potential participants are permitted to opt-out.
- Everyone is appropriately debriefed after their involvement ends.
- Researchers, sponsors, organizations, and oversight committees are engaged and ensure that ethical standards are met
We recommend that you consult with your senior leadership teams, legal counsel, and human resources professionals before launching simulated phishing testing.