European Cyber Resilience Research Network

Helping enterprises strengthening the Human Network of their organizations against Cyber Threats

Towards cheaper and more effective phishing awareness

During his Modular Executive MBA Business & IT, Sheraz Ali (35) developed a method to pinpoint which employees are vulnerable to phishing. It yielded him the Best in Business Award. ‘Targeted training of employees saves up to 70% of the education budget. And it’s more effective.’

Cybercrime is booming. There’s more money circulating there than in the worldwide drug trade. According to Sheraz Ali, managing partner of GBS Consultancy, organizations mainly protect themselves against cybercrime using hard technology. The psychological vulnerability of employees is hardly given any attention. ‘About 95% of a company’s security budget is spent on software, such as firewalls. Only a fraction is used to create awareness among employees on the dangers of phishing. Meanwhile, humans are the weakest link in the security chain: it only takes one colleague clicking a phishing link to give hackers access to your company.’

Phishing Awareness
Investing insufficiently in phishing awareness is understandable, says Sheraz Ali. It’s expensive to train all your employees. ‘Due to the cost of education, but also because they’re then not available for your customers. On top of that, it’s difficult to measure whether or not they’ve actually become more aware of the risks after such a broad training.’ Based on the five factor model, Ali developed a method using personality traits to identify which employees are vulnerable to phishing. ‘Especially curious people who are keen to help others are susceptible.’

Customized training
Employees in need of education are given tailor-made training. ‘Are they insufficiently aware of the company’s security policy? The training will then emphasize exactly that.’ An impact assessment showed that employees who followed such a customized instruction were less susceptible to suspicious e-mails. Ali: ‘I set up a cost-benefit analysis. It turns out organizations can save up to 70% using this method, since they’re only training the people who need it.’

The jury’s verdict
A splendid result, the Best in Business Award jury decided. That’s why they chose Sheraz Ali’s research over the three other nominated theses and rewarded it with the Best in Business Award. The jury underlined how the entrepreneur had spotted a worldwide problem, relevant to governments, organizations and private individuals alike. They lauded the developed method as easily applicable for companies, proven to be effective and cost-reducing since it targets only relevant employees for training.

Sharing knowledge
Sheraz Ali has developed the method into a business model, with thanks to the tools from his MBA course. The Best in Business Award is for him an acknowledgment that he’s on the right track. ‘I’d like to contribute to more security and it gives me great satisfaction that I concluded my MBA course with a product that concretely helps organizations defend themselves against hacks.’

Best in Business Award
The Best in Business Award (BiBa) is handed out twice a year during the graduation ceremony for participants in the Modular Executive MBA program. The theses are judged on relevance, topicality, originality, applicability and their business detail.The jury was this time composed out of Wim Assink (Managing Director Banking Review), Hans van Vliet (partner Deloitte Consulting BV), Karin van Willigen (Managing Director Oost NV), Gea Cramer (HR-manager Rabobank IT) and Loes Biewinga-Pennings (Research & Start-up business support model).