Enhancing Cybersecurity Awareness Training through a Phishing Exercise

Emails are essential to businesses, but they are also an attractive attack vector and target for malicious actors operating on the Internet. Email is the frontline where businesses and users need to defend themselves against malicious actors attempting to steal information, obtain access credentials and compromise infrastructure. The most widely used social engineering technique, known as “phishing”, consists in sending fraudulent emails to users that compel them to take actions leading to a compromise in cybersecurity.

This article describes the fundamental components of a comprehensive program that trains, tests, measures and enhances an organization’s cybersecurity to defend against phishing attacks. Based on the National Institute of Standards and Technology (NIST) best practices recommendations, Michael Miranda developed this phishing training programs to be deployed in government and private-sector organizations. This comprehensive program includes the following core activities:

  1. Train on Phishing Detection and Incident Response: An organization and its users must be trained before testing their abilities to detect and respond to phishing.
  2. Obtain Leadership Approval: Phishing exercises should be initiated only with the expressed consent of the leaders of the organization.
  3. Develop the Training Exercise Scenarios: While many phishing emails are sent to targets indiscriminately, those are more likely detected and deterred by automated email SPAM security tools. The most effective phishing emails are those that are tailored to be familiar with the activities of the targeted organization or user.
  4. Select and Deploy the Phishing Tool: the organization can begin evaluating tools to achieve the established objectives of the phishing training program.
  5. Implement and Test Exercise Scenarios: Testing the exercise scenarios is vital to validate training and reporting objectives.
  6. Develop and Implement Exercise Response: The purpose of this type of training is to assess the effectiveness of phishing training on users. Phishing exercise training must be appropriately handled to deconflict exercise phishing incidents from actual phishing incidents that engage incident response procedures.
  7. Initiate the Exercise: One thing to consider is that users do not check email messages at the same time intervals. Therefore, the exercise should be planned to ensure the highest number of users will receive and open the exercise email within a short period.
  8. Report on the Metrics: After the exercise window has ended, metrics should be compiled to determine the effectiveness of the training.


Organizations need to invest the resources in protecting the email service and reinforcing safe and secure usage. It is imperative that businesses train their employees on how to identify attempts by malicious actors to social engineer through phishing. By implementing a comprehensive phishing exercise training program, the risks associated with that threat can be reasonably mitigated.


Cite: Miranda, M. J. A.(2018). Enhancing Cybersecurity Awareness Training: A Comprehensive Phishing Exercise Approach. International Management Review, 14.

Source: http://scholarspress.us/journals/IMR/pdf/IMR-2-2018/IMR-v14n2art1.pdf