Keeping Information Security Simple – “The Right Phish at the Wrong Time Can Catch Anyone”

Letter from the CISO, Vol 3 Issue 4

Washington University Community:

How likely are you to click?

A few years ago, I advised a company to conduct its first email phishing simulation, otherwise known as a “phish test.” The systems administrator enthusiastically crafted a test message that used a logo from the company’s website, included vague but urgent language about the need to click a link to reset your password due to a cyber-attack, and signed generically as “IT Help Desk.”

Normally I would have expected approximately 25% of users to click the link since the company had sent little security awareness training or communications.

Much to my surprise, nearly 45% of users clicked, including 55% of IT employees! The company leadership was shocked and quickly agreed on the need to teach users the markers of suspicious emails.

The lack of training and awareness was certainly part of the problem, but the truth was that the phish test message was the “right phish at the wrong time” for this company.


The phish test email about the need to change passwords came shortly after the company had in fact suffered several cyber-attacks and followed two legitimate company-wide password resets in just 2 months, numbing people to the fact that such resets should be rare.

The right phish at the wrong time

The title of this column is credited to Dr. Jessica Barker, Co-Founder of Cygenta, in a presentation earlier this year.

In her presentation, she highlighted the importance of building a culture of security awareness with intrinsic motivations for secure behaviors.

That’s why I always explain the how and why of information security in simple terms, and, at the very least, understandably, with straightforward steps everyone can follow.

One of the most important things any organization can do to foster security awareness, behaviors, and culture is to have its most senior leaders emphasize their importance. At WashU, our mission and strategy depend on having reliable and secure information systems, services, and technologies. I’ve been very impressed by the resources, time, and effort senior university leaders devote to supporting our efforts to improve WashU’s security posture.

Don’t suffer from the Lake Wobegon Effect

The Lake Wobegon Effect, named from the long-running PBS radio show “Prairie Home Companion,” refers to the host’s repeated assertion that in the fictional town of Lake Wobegon, all children are above average.

Another name for this is “Illusory Superiority,” where people very often over-estimate their own competence. This phenomenon is compounded by the fact that the less knowledge and expertise people have in an area of competence, the more confident they are in their ability.

Winning hearts and minds

The most central goal of our Security ABCs (Awareness, Behavior & Culture) Program is to build a trusting relationship with all of you and the Information Security team by providing:

  1. Psychological safety, e.g., you won’t get in trouble if (when) something bad happens;
  2. Empowerment and engagement, e.g., you have the knowledge and ability to address problems when the arise; and
  3. Listening to and hearing one another’s questions and concerns, where people can ask about things they don’t understand, complain if security controls are hindering their work, receive explanations, discuss alternatives, and benefit from improvements that enable their work.

One of my personal goals is to enable everyone to take actions that reduce the risk of contributing to cyber security problems by making cyber security principles and defensive actions simple, or at least straightforward and understandable.

Call to action:

In my August letter, I challenged everyone to reach out to friends and family to create your own network of cyber security buddies.

This month, my call to action is to not be overconfident in your ability to detect a phishing message, malicious website, or other dangerous cyber threat. Please report suspected phishing messages via the Phish Report Button in Outlook.

If you are worried that the “right phish already came to you at the wrong time,” and you may have already fallen for it, please contact the Office of Information Security for help at

Thank you for reading and for being members of the university’s Information Security team!

Good luck, and be careful out there!

-Chris Shull, CISO