Phishing voor Vlaamse besturen

Meet de weerstand van al uw personeelsleden tegen phishing aanvallen en versterk deze. Kom te weten hoe uw bestuur het doet t.o.v. andere gemeenten en steden. Mis deze unieke campagne die start in september 2016 niet!

KBC selected Krinos for their awareness campaign

"Krinos helped us to define clear objectives and measure the Return of Investment (ROI) of our awareness campaign. Because of their end-to-end managed service the campaign could startup very quick without the need to buy tools or train internal people." says Jan Nys, Chief Risk Officer, KBC Group

Gemeente Glabbeek investeert in cyberveiligheidsopleidingen

Gemeente Glabbeek omarmt digitale media met o.a hun website en de Glapp!. De Krinos Academy online trainingen blijken een leuke en efficiënte manier om hun personeel essentiële cyber security skills bij te brengen.

Krinos Academy User Awareness Solutions

End-to-end managed services that builds awareness in any organisation via our Attack-Train-Measure approach. Attacks offered are: Emails phishing, voice phishing, USB drops, physical inspections and IT penetration tests.


JAN 2016 – More and more organizations are performing email phishing exercises, often on a smaller scale. Organizations send out a phishing email and measure how many people are susceptible for this type of cyber attack. But only a few of them repeat phishing exercises on a regular basis. This is definitely a missed opportunity.

This article explains why repeating phishing exercises is so important for raising awareness.

Measure the effect of your awareness initiative

In security it is not easy to calculate return on investment, as it is difficult to predict the impact of an attack. But by measuring the effect of subsequent phishing exercises on people, through the amount of people that click on a suspicious link, you are able to see the evolution of clicks inside your organization. This is in essence the return on investment of your awareness initiative. The most common objective of a phishing campaign is to raise awareness by decreasing the click rate and increasing the reporting rate.


Evolution of click rate and reported rate in a Krinos Yearly Awareness Campaign

Do we need to phish all our employees?  We often get this question, especially in organizations that hold over 5000 employees. If your objective is purely to measure the level of awareness, you can start phishing a representative sample. But the truth is, you probably want to reach everyone if you are going to raise awareness. And you want to do it a few times a year in order to see the evolution. What you need to consider, is how many people inside your organization will report the phish via telephone. If this is 10% of your 5000 employees, your help desk ends up dealing with 500 phone calls, just for an awareness exercise. Careful planning and staggering the delivery of emails can help you.

How frequently do you need to reach your people? This depends highly on the awareness level of the organization, but research as well as our own experience indicates that you need to send out at least 4 emails a year in order to substantially decrease the click rate. Once you reach a certain overall awareness level, you can focus more on specific groups in your organization, as explained in the next point.

Focus on specific groups

You also want to repeat the phish as it allows you to focus on specific groups in your organization that seem more vulnerable to phishing attacks. Results by department or role often reveal, for instance, that sales people are more susceptible to a phishing attack. You will also see, when repeating the phish, that a small number of people will fall victim over and over again. This is what we call repeat offenders. It might be beneficial to focus on that group specifically. Besides vulnerable groups, you might also consider groups that form a bigger risk when they fall victim to a cyber attack. Not everyone needs the same awareness level. You expect someone with administrative privileges or access to direct payments to score a lot better on your phishing exercises. There is just so much intelligence to gain from repeating the phish.

Repetition is needed to change human behavior

And finally, we must not forget that we are dealing with a change in human behavior. Think about it, what we are asking from people is to look at an email differently. While reading emails and clicking on links has become a habit, we are asking people to adapt a new habit. To think before clicking. The only way to really achieve this is by repetition. We always say “Like computers, people need to be patched from time to time.”

Is it good or bad to repeat the same phishing scenario? We see often see the click rates of certain email scenarios are higher than others. Usually IT related scenario’s, especially if they relate to people’s personal situation, score very well. If you experience a scenario with high click rates (15% or more), you might want to repeat it after a while, as it helps you to train your people not to fall victim to that type of phishing attack. You can even repeat a scenario several times, but adjust it slightly. We usually remove some of the phishing indicators to increase complexity.


Choose Us

If you are looking for pragmatic security that goes beyond compliance based checkbox approach.

  • Cyber Strategy assessment & roadmap
  • Attack & train to built awareness
  • Invest security budgets better
  • One-stop: We talk and walk

Subscribe to our newsletter

I am interested in:

Happy Customers

Testimonial: sdworx Goes Phishing

SEPT 2016 - Like most companies nowadays, we’ve had our share of cyber incidents: virus infections, ransomwares, phishing emails, etc…... Read more

Wachtwoorden stelen: Kind & Gezin vertelt hun verhaal

OCT 2015 – Krinos Academy deed een phishing oefening bij Kind & Gezin. De dienst communicatie vertelt het verhaal in hun... Read more

KBC selected Krinos Academy for managing their email phishing awareness campaign.

AUG 2015 – KBC must be top-class in providing secure financial services to its customers. An important part of their... Read more

Gemeente Glabbeek traint college, bibliotheek, school en OCMW

MEI 2015 - De gemeente Glabbeek heeft de reputatie "innovatief" en "digitaal-minded" te zijn. Zo lanceerden ze een smartphone app... Read more