What Carronade really tells us about social engineeering
I've been asked quite a few times in the past few days what I think about the Carronade project. This was a test of how well training could overcome some types of social engineering, and it's sometimes cited as being proof that security awareness training isn't worth doing because it doesn't seem to work.
I think that what was found in the actual Carronade project doesn't support this claim. Here's why.
In the Carronade project, 512 randomly-selected West Point cadets received a test phishing message. Here's a summary of what happened:
80 percent (more than 400) of the cadets in the sample clicked on the embedded link. Even with four hours of computer security instruction, 90 percent of the freshmen clicked on the embedded link.
But the phishing message that the cadets received was crafted to look like it was from a (fake) senior officer on the West Point staff. Part of the military culture is to take orders from superior officers without hesitation or questioning the validity of the orders. And because this phishing attack took advantage of that particular part of military culture, I'd say that the results of the attack aren't really the sort of thing that can be extended to more general settings. At least not in a meaningful way.