Keeping Information Security Simple – “The Preparedness Paradox”

Letter from the CISO, Vol 3 Issue 6 

Washington University Community:

Problems in WashU paradise 

Sometimes, I think working at WashU is a bit like being in paradise. November is a time to reflect on things we are grateful for, and this includes working in a safe and welcoming culture. But even the Garden of Eden had a serpent, and we have our problems too. 

Almost every month I encourage everyone to be vigilant, skeptical, and a little paranoid

Most of you are succeeding with three times as many people reporting our simulated phishing training than falling for them. Our phish-prone rate hovers around 5.5% which is a little better than many comparable organizations! But it’s not quite as good as our true peer institutions who are closer to 5.0%, which gives us the opportunity to improve. 

In the most recent simulation, too many people are still clicking on links, cutting and pasting web addresses, and scanning QR codes for web addresses. This occurs despite recent Special SECURED Bulletins warning of active attacks that are being successful with these methods for getting around some of our defenses! 

An example of where we can improve: some people enter their usernames and passwords into Google Forms. This is something the Google Forms all say to never do – right above the “Submit” button. 

It isn’t all their fault 

We’re all so busy. Who has time to carefully read instructions, especially when an email comes in with an urgent and import task? (Confession: I recently spent five days thinking I had COVID because I didn’t read the instructions on how to interpret the test.) 

The bad guys know this inclination and do a very good job of guiding us into hasty and ill-considered actions. 

Over-confidence is also a real problem 

In recent research from Oxford University, one of the top recommendations is: 

“CEOs should embrace what the authors call the ‘preparedness paradox’: an inverse relationship between the perception of preparedness and resilience – the better-prepared CEOs think their organisation is for a serious cyberattack, the less resilient their organisation likely is, in reality.” (“What do CEOs really think about cyber risk? First-of-its-kind study reveals all,”

I assert that we all need to be aware of this – namely, that the more confident we are in our preparedness for a cyberattack, the more likely we are to be proven wrong. 

I’m reminded of some decision-sciences research where hospitalized drivers who caused traffic accidents still believed themselves to be in the top percentage of safe drivers. 

At WashU, there are so many smart and successful people who are accustomed to success. I think this is an even bigger problem. In my case, I’m used to dealing with honest people who aren’t trying to take advantage of me, and I tend to give everyone the benefit of the doubt, adding to the danger. 

Some members of the community ask to be taken off our mailing lists for the SECURED! monthly newsletter, and others ask not to be included in our phishing simulations. For better or worse, the systems we use to deliver these awareness efforts make it difficult to remove people so long as they are affiliated with the university. Furthermore, the trustees and our executives didn’t charge the Office of Information Security with promoting the security awareness of everyone – except for people who find it annoying or aren’t interested. So far, most people feel our efforts are improving their awareness and defenses against attacks. 

Everything is getting harder! 

To date, the phishing simulations we conduct have mostly been relatively easy. Apart from when we used messages that impersonated real WashU people, we have seen good scores – both in terms of reporting the messages and not falling for them. 

Unfortunately, while the Office of Information Security has not yet engaged in simulations of WashU leaders and managers, malicious actors have not been so polite. Whenever possible, they try to do exactly this because they are much more likely to trick people into doing what they ask. 

We are fortunate to be in a position where we can employ ways to help the university community prepare for cyberattacks. Over the coming months, we will increase the difficulty of our phishing simulations in hopes of helping people learn to see through them and become less phish-able. 

What can IT do to help? 

About 5 years ago, we implemented DUO 2-Factor Authentication and enjoyed an extended period where WUSTL Key account compromises dropped to nearly zero. 

In 2022, malicious actors developed several ways to socially engineer (aka con us) around these defenses. So, we eliminated the use of DUO Passcodes in favor of “push 2FA,” and implemented a set of new email defenses, all of which dramatically reduced the problems we were experiencing. 

However, over the past couple of months, we’ve seen the bad guys once again figuring out ways around and through our defenses. So, over the next few weeks and months we’ll once again be introducing additional defenses, most notably “verified push 2FA” and FIDO2 token. We acknowledge in advance some of these defenses can also be phished, but the FIDO2 tokens are considered phish-proof. 

The introduction of verified push, FIDO2 tokens, and other initiatives should help dramatically reduce the number of account compromise attacks. But they do nothing to prevent many other phishing scams, ranging from romance scams, job “advanced fee” scams, and even just “send me some money via gift cards” or “money transfer app” scams. 

What can we all do? 

As always and at the risk of boring loyal readers, I encourage you all to be vigilant, skeptical, and a little paranoid.  

If your vigilance and skepticism make you wonder if an email is legitimate or not, please report it with the Phish Alert Button within Outlook, or if you don’t use Outlook, forward it as an attachment to The InfoSec team will analyze it and get back to you quickly. 

And the more urgency the message conveys, the more skeptical you should be! 

If that paranoia tells you that you may have already fallen for a phishing message, please contact the Office of Information Security for help at The sooner the better, as speed helps us limit possible resulting harm and damage. But it is also better to tell us later than never! 

Thank you for reading and for being members of the university’s Information Security team! 

Good luck and be careful out there!

-Chris Shull, CISO