Phish tests aren't like fire drills

May 30, 2024

Google recently wrote a (blog) article, On Fire Drills and Phishing Tests, which discusses the early history of what we now call fire drills. As the article covers, the early "fire evacuation tests" focused mostly on how individual people performed, complete with telling people that things were their own fault for not doing the evacuation well enough. It then analogizes this to the current way "phish tests" are done. As I read this, I had a reaction on the Fediverse to the general thought of fire drills and phish tests:

In re comparing fire drills to phishing tests[1], if phishing tests were like fire drills, they would test the response to a successful phish. Was the person phished able to rapidly report and mitigate things? Do the organization's phish alarms work and reach people? Etc etc.

Current "phishing tests" are like testing people to see if they accidentally start fires if they're handed (dangerously) flammable materials. That's not a fire drill.

The purpose of fire drills is to test what happens once the fire alarm goes off and to make sure that it works. Do all of the fire alarms actually generate enough noise that people can hear? Are there visual indicators for people with bad or no hearing? Can people see (or hear) where they should go to get out of the building? And so on and so forth. In other words, fire drills test the response to the problem, not whether the problem happens in the first place.

(They also somewhat implicitly test if people respond to fire alarms, because if people don't you have another problem.)

As I mentioned in my Fediverse post, current "phish tests" aren't doing anything like this. Current "phish tests" are testing people to see if they recognize and (don't) respond to phish messages (and then blaming people if they don't handle the phish right, which is one of the things that the Google article is calling out). A "phish drill" that was like a "fire drill" would test all of the mitigation and response processes that you wanted to happen after someone fell for a phish, whatever these were. Of course, one awkward aspect of testing these processes is that you actually have to have them and they need to be made effective. But this is exactly why you should test them, just as part of the reason for fire drills is to make sure you have enough alarms, evacuation routes, and so on (and that they all work).

(I personally think that current blame the person "phish tests" are counterproductive in an additional way not covered by the Google article, but that's another entry.)

Comments on this page:

+1. A previous organization had an actual fire, and I'm not sure the 'phish tests' prepared them for that. Phish tests tried to train people not to unlock the vault, but the attackers had copied the key already.

(Afterward, the organization updated their MFA, moving from yes/no push notifications to requiring the 2-digit code from the push notification. The attackers had 'bypassed' MFA by spamming yes/no pushes until, accidentally or otherwise, the victim hit Approve.)

By Andrew at 2024-05-31 17:12:54:

I thought the purpose of fire drills was to acclimatize people to following instructions without conscious thought. So, even more the polar opposite of phish tests.

By jeanne at 2024-05-31 21:06:29:

The purpose of fire drills is to test what happens once the fire alarm goes off and to make sure that it works. Do all of the fire alarms actually generate enough noise that people can hear? Are there visual indicators for people with bad or no hearing?

No, the purpose of a drill is not to test that the system works. Nor, in my experience, that it's sufficiently loud or visible. That stuff's all done via professional system tests, monthly and/or annually. In the Ontario university I attended (not in Toronto), those were scheduled around 5-8 a.m., when students were unlikely to be present; signs were posted in advance, saying no evacuation would be required (unless the system sounded continuously for some amount of time, or an evacuation was explicitly announced via P.A., or whatever).

I once watched the annual test, which was quite thorough. In one phase, all audible/visual alarms were disabled. One fire-alarm-company employee stood by the alarm panel with a radio, while another employee pulled every single pull-station. They'd confirm via radio that it showed on the panel, with a correct location-indicator, after which the station would be reset with the key. Another phase of the test involved the alarm being activated while someone checked every bell and strobe-light.

Fire drills, by contrast, are done without any general warning; and, like tests, usually without fire departments responding. In Ontario, they happen in workplaces and primary/secondary schools. Managers and teachers might be told in advance, but are not supposed to announce it; the purpose is explicitly to test the response from a surprised state. Nobody ever collected feedback from students or low-level employees, such as asking whether everyone heard it; rather, they'd give us feedback ("the evacuation time was a little high, because you wasted time by swiping badges at the employee gates; those are to be pushed open in an emergency, or avoided by using the emergency exits").

Drills are not done in most residential occupancies, contrary to popular belief—some people seem to think any alarm with no fire was a drill, even if it was in the middle of the night and several fire trucks responded, but no apartment I've lived in has ever done a drill for tenants. I don't know whether they're required in university residences, but it was a moot point when I lived there: we never had a long-enough streak without a false alarm and full evacuation.

As for "phishing tests" at work, my problem was that they inevitably looked like a normal employer e-mail for which my employer actually wanted a response. Several times a year I'd forward one to the security department, and it'd go something like: "Hey, this 'annual training' e-mail comes from and has links to some outside domain and says I'll need to log in with my employee password; it looks like an obvious scam, and you'd better block the domain"; "No, actually, that one's legitimate, and if you don't complete it soon it'll be escalated to your manager".

Written on 30 May 2024.
Last modified: Thu May 30 23:01:59 2024
