Aug 2022-Feb 2023
Health Canada, IT Security Division
UX Research, Government
User Researcher in the Education and Awareness Program
.png)
While working at Health Canada in the IT security department, I worked on a cybersecurity initiative that created a phishing simulation campaign using the Terranova Security platform to identify weaknesses in Health Canada employees’ cybersecurity awareness.
It involved designing and deploying realistic phishing scenarios, gathering and analyzing usability testing data, and using the results to determine the next steps forward in employee training.
I was an IT Security Education and Awareness Researcher and reported to/ collaborated with my Supervisor. I gathered background research on Terranova Security and Health Canada, created employee user personas alongside their journey maps. I also collected the results of the usability testing from the phishing campaign and compiled the result data into a reporting dashboard.
The project was handed off to my colleagues after my departure in February 2023. Due to my work within the Government of Canada, I cannot disclose proprietary information related to this project. Confidential data such as screenshots, employee’s simulation result data or other protected details is omitted. This case study is a reflection of my research process and the takeaways I learned.
In 2022, I was a part of a team in Health Canada that identified a need to step up employee education and awareness regarding phishing scams, which became more concerning during the COVID-19 pandemic.
Phishing continues to be one of the major concerns during Cyber Security Awareness Month 2022, given its place among the topmost threats to an organization's digital security. The number of phishing reports from employees in the IT security department kept increasing, notwithstanding reminders sent by IT and awareness campaigns run by it. One motivation for this was that these phishing scams threatened not only sensitive information but also put Health Canada's systems' integrity in jeopardy.
These phishing scams not only exposed sensitive information but also posed a significant risk to the integrity of Health Canada's systems. The IT Security Department then realized that previous mass emails and generic training materials were not sufficient to deal with the problem.
What was needed was a much more focused, engaging, and hands-on approach to arm employees with the skills needed to recognize phishing attempts and take proper action. The goal was to move cybersecurity awareness from knowledge to action using realistic phishing simulations.
When we talked with Terranova Security as a potential host platform for the training course their research showed the extent and cost of phishing attacks, proving the need for rigorous training. It's estimated that 3.4 billion malicious emails are delivered daily, and organizations that have fallen victim to phishing suffer adjusted losses of more than $2.4 billion annually, or $17,700 a minute in expenses. With such alarming statistics, it's a clear call for the equipping of employees with knowledge and tools to recognize and report phishing attempts, as even a single click can cause heavy repercussions.
Other cybersecurity training platforms we met with revealed that phishing training has been found to significantly lower the risks of phishing attacks and most organizations reduced their susceptibility with systematic awareness programs. With most of the causes of data breaches having a human component, education needs to be constant in order to identify signs, protocols, and scenarios in cases of phishes to ensure safety for the greatest amount of information.
Before establishing a phishing simulation campaign, I was tasked to identify any gaps in existing employee cybersecurity awareness training course or material that exists.
One of the materials I analyzed was a course called Security Awareness (COR310) that is mandated for all public servants, offered from the Canada School of Public Service. This course provides basic knowledge on the protection of government information, assets and people, and the eight security controls outlined in the Policy on Government Security.
Even though this course gives an overview of cybersecurity fundamentals, I noted that there are some gaps in the course content, especially in the aspect of phishing awareness:
- Does not contain in-depth materials regarding phishing or the types of phishing attacks that government employees are targeted with.
- Does not give employees realistic ways of identifying and responding to phishing threats.
Given the widespread use of phishing in cybersecurity breaches, this gap made clear the need for a more focused approach to training employees through consistent and interactive materials.
This discovery prompted the suggestion to enhance the employee training with a phishing simulation campaign in order to engage employees and improve their ability to identify and report phishing attempts.
My supervisor and I spoke with three competitors in cyberspace training platforms before selecting Terranova Security based on:
- Phishing scenarios that are customizable and tailor simulations to suit various organizational needs.
- Advanced reporting features that track employee interactions with phishing attempts and effectively analyze them.
- Automated feedback mechanisms that provide employees with immediate feedback with actionable insights into improving their performance.
These advantages consolidated Terranova Security as the best one to fit our scalable and efficient phishing awareness model.
To effectively implement phishing awareness training at Health Canada through Terranova, I sought to:
- Determine the pain points in recognizing phishing scams by employees.
- Assess the usability of the phishing simulations and their effectiveness in improving cybersecurity awareness.
- Analyze behaviour patterns when employees encounter phishing emails.
- Evaluate the effectiveness of different simulation designs (levels easy, medium, hard) over time.
Once our goals were identified, I developed user personas and journey maps to gain insight into the diverse needs and behaviours of Health Canada employees:
To effectively implement phishing awareness training at Health Canada through Terranova, I sought to:
- Determine the pain points in recognizing phishing scams by employees.
- Assess the usability of the phishing simulations and their effectiveness in improving cybersecurity awareness.
- Analyze behaviour patterns when employees encounter phishing emails.
- Evaluate the effectiveness of different simulation designs (levels easy, medium, hard) over time.
The phishing simulations were executed over several months for Health Canada employees via the Terranova Security platform. These simulations were designed to reflect actual phishing situations, becoming increasingly complex so that employees can build their phishing detection skills.
*As mentioned in Overview, due to protected information I cannot share the employee result data of the phishing simulation campaigns.
I recorded the results of the phishing campaign in a reporting dashboard using the following structure:
There were notable insights and detection rates when employees were faced with different difficulty-based phishing emails:
- A significant decrease in click-through rates was observed as campaigns progressed, indicating that employee phishing awareness is improving.
- The simulations show the need for continuous and targeted training. Individualized feedback and ongoing monitoring are important because of repeat offenders.
