Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Phishing With a Net: The NIST Phish Scale and Cybersecurity Awareness

April 25, 2023


Shanée Dawkins - NIST
Jody Jacobs - NIST


Orienting an entire organization toward sound security practices is an important, but non-trivial undertaking. A starting point for many organizations is to build a robust security awareness program, training employees to recognize and respond to security issues to achieve long-term behavior changes. These organizations collect metrics that are used to evaluate the effectiveness of their security awareness programs, satisfy mandatory reporting requirements, justify additional resources, and demonstrate overall programmatic success. Phishing training programs are typically included as a part of the security awareness program portfolio, using click rates as the sole metric to reflect staff proficiency in identifying fraudulent emails, and ultimately as a measure of the effectiveness of the phishing training program itself. This talk offers an additional metric for the individuals who oversee the phishing trainings in their organizations – a measure of the human element. During this presentation, we will present the NIST Phish Scale (NPS), a measure of human phishing detection difficulty. Created in 2019 using real-world empirical data, the NPS provides a metric – a phishing email difficulty rating – for phishing training implementers to gain a better understanding of the variability in click rates resulting from their phishing training exercises. In this talk, we will make the case that phishing training programs cannot be assessed in a vacuum, and that they must consider the human element when gauging the effectiveness of their phishing exercises and the progress of their awareness programs over time. Leveraging our combined 40 years of experience as security practitioners and human-centered cybersecurity researchers, we will provide concrete, real-world examples illustrating the use of the NPS and its outcomes. Examples will be supported by a case study of applying the NPS to a federal organization and demonstrate the ability of the NPS to contextualize click rates. Finally, attendees will take away specific strategies for how they can improve their phishing training programs and ultimately the security awareness programs in their organizations. Attendees will be able to identify and act on the missing piece of their phishing training programs by addressing the human element in phishing detection, tailoring their phishing training to their unique environment and employees while still meeting their organization's mission and risk tolerance.
Created November 30, 2023