Scope Document

I had originally met with my SME for this project, Gary Flynn, about 1 month ago to discuss it. He and I had just fininshed the bulk of our work on the IsItReal phishing training for JMU and I explained my upcoming project and asked if he had anything in mind that he needed training on. We talked about a particular project that he was needing help with and I began doing some storyboards and working on some mock-ups. Last Thursday we met again and discovered that there was another much more pressing need that he would like training created for. So…we have tabled the initial idea and have decided instead to focus on a training for a new Identity Finder system.

The system will be used to self-search selected individuals computers for SSN’s and Credit Card numbers. There are certain individuals on campus who are required to gather and store secure information and the system will make sure that it is being stored in a secure location. It will be an interactive training that will include an awareness portion describing why we need the system and then a how-to portion on how to run the program and what to do with the results.

I will work with the JMU IT Security team on this project.


2 thoughts on “Scope Document

  1. Sounds like a useful project for your own practice and for JMU. I’ll be interested in seeing how you approach this.

    I’m also interested in what kinds of metrics you’re using to determine if your phishing training is effective. I always wonder how much people really absorb in those online sessions…are you seeing a decrease in the number of people who click through?

  2. In regards to the IsItReal campaign we are limited in the analytic’s we are able to gather so it makes tracking things a little difficult. If it was a required training for all faculty/staff/students than we could simply track click throughs before and after. Since it is not required though the only way to track would be to see who clicked on a phishing link and then check to see if they completed the training.

    What we have been able to do is some controlled testing in our labs. The training is designed to be done by an individual but we have offered the training a few times at the end of a class and given everyone a clicker. If they think it is a real link they click 1 if they think it is phish they click 2. We usually see around 30-40% incorrect answers when we start the training and 0-10% incorrect when we finish. However, it could be argued that the questions in the 2nd half are easier, although I personally do not believe this to be true. We also have sent the training out to 20-30 faculty/staff/students for feedback and we got quite a few that stated they were unaware of the trick we taught on how to locate a domain name.

    The biggest hurdle we see right now is getting the community aware of the training and getting them to go in and complete it. We have heard of a few departments using it during meetings and of a gen ed business class requiring students to complete it but the training is designed to be gone through individually and not as a collective group.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s