Using the NIST Phish Scale Framework to Detect and Fight Phishing Attacks
Through phishing, malware, and password attacks, most cyberattacks are directed at individuals. In response, organizations are increasingly implementing phishing awareness training. This involves sending simulated phishing emails that mimic real-world threats to employees, aiming to elevate awareness about phishing techniques and to improve their reflexes against such attacks. Despite these ongoing efforts, many employees still fall victim to phishing attacks – in 2024, the number of times that users clicked on phishing emails was three times higher than in 2023.
Researchers believe that organizations with consistently low click rates in their phishing tests may fall into a trap of feeling overly confident in their security measures. They might wrongly assume that their training programs are successful and that their employees are well-prepared to fend off phishing attacks. In reality, a low click-through rate in phishing tests does not always indicate readiness to tackle phishing threats accurately. This is because click rates can fluctuate based on factors like the test’s complexity and the relevance of the simulated threat.
What is the NIST Phish Scale?
The NIST Phish Scale is a federal scoring system that’s used to determine human phishing detection difficulty. This system has two main components: Firstly, the observable characteristics (visual cues) in a phishing email. Visual indicators include things like the number of cues, or the type of cues present in an email, which help recipients identify a phish. Secondly, the alignment of the phishing email concerning its target audience. The premise alignment is based on things like current events, the environment of an organization, or a recipient’s role and responsibilities. These twin components are then measured individually and interpreted collectively resulting in an overall human detection difficulty rating for a phishing email.
Calculating the Phish Scale Score With Visual Cues and Alignment
To measure visual cues, training teams must make a note of the number of spelling and grammar irregularities (spelling errors, grammatical mistakes, other inconsistencies), technical indicators (email addresses, hyperlinks and attachments), visual representation (branding, logos, design, formatting), language and content (generic greeting, timing of email, pressure tactics, etc.), common tactics (too good to be true, impersonation of a friend, a colleague, etc.). If the email contains from one to eight cues, it can be assigned a category called “few,” meaning that the email is difficult to detect; if it has 9 to 14 cues, it can be labeled as “some,” meaning it is somewhat difficult to detect; if it has 15 or more cues, then the email can be labeled as “many,” which means that it is fairly easy for a human to detect that the email is conclusively a phish.
To measure a phishing email’s premise alignment, the training team must assign an applicability score (a numerical value between 0 and 8) to these five premise alignment elements:
- Mimics workplace processes or practices – for example, if the target audience typically receives official organization updates via a chat application and the recipients in this exercise receive it via email, then it has a lower applicability score.
- Has relevance in the workplace – for example, if the target audience is from the finance department and the phishing mail has a premise of ‘late payment,’ then it has a higher applicability score.
- Aligns with situations (both internal or external) in the workplace – for example, if it’s Christmas season and the phishing email is Christmas-related, then the applicability score of the phishing email is higher.
- Elicits concern over consequences for not clicking – for example, an email with a more serious and direct allegation will have a higher score than one that tries to exploit a user’s fear of missing out.
- Is the email a subject of targeted training or specific warnings – for example, if the phishing email has been part of organizational training or a warning has been issued by the organization to be on the lookout for such phishing emails, then it will have a higher applicability score.
Once applicability scores are penciled in, sum the applicability scores for elements one through four, then subtract the applicability score for element #5 from the total. The final premise alignment rating can be mapped to one of these three alignment categories:
- Strong (a score of 10 or below) – the alignment of the phishing email’s premise to the target audience is high, and therefore the email is difficult to detect as a phish.
- Medium (a score of 11 to 17) – the alignment of the phishing email’s premise to the target audience is moderate.
- Weak (a score of 18 or higher) – the alignment of the phishing email’s premise to the target audience is low and therefore, the phishing email is easier to detect.
Calculating Final Scores: The final step in the rating is to combine the ratings from visual cues and premise alignment and provide an overall human detection difficulty rating. For example, phish emails with few cues and a strong premise alignment are more difficult to detect in comparison to those with more cues and a weak premise alignment.
How Can NIST Phish Scale Improve Phishing Awareness Training?
NIST proposes that by applying a difficulty rating to phishing awareness training, organizations can benefit in two ways:
- It provides greater context and insight regarding click and reporting rates – phishing emails that are “very difficult” to detect will result in higher click rates. In contrast, the least difficult emails will result in lower clicks. If a “least difficult” email is getting higher clicks, it probably means that the audience needs more training.
- It provides a way to characterize phishing threats, enabling the trainer to tailor training programs according to the threats faced by the organization – if certain types of phishing emails garner more clicks, then training facilitators must implement targeted and tailored training programs to improve awareness and behavior in those users.
Leveraging AI-based Phishing Awareness Training May Help
Generic, check-the-box phishing training is no longer effective against advanced phishing threats. Today’s phishing training calls for emails that are more topical (latest threats), relevant (content must be tailored according to audiences, departments and roles) and adaptive (campaigns must consider phishing detection difficulty and the risk tolerance of the organization). Adopting AI for this task can potentially help implement the Phish Scale Framework and provide more real-time insights into training performance.
The NIST Phish Scale framework offers a structured and effective approach to improving phishing awareness training in organizations. Harnessing this framework not only enables organizations to tailor training programs based on varying levels of user susceptibility but also fosters a culture of continuous improvement in cybersecurity awareness.
