Case Study: Verizon DBIR Warns on Mobile Phishing - Know Your Risk

By Rebecca Merritt | July 2, 2019


The problem: According to the recent Verizon Data Breach Investigations Report (DBIR), as phishing click rates are going down, currently around 3%, phishing emails are becoming more and more sophisticated, and especially focusing on mobile usage.

As the DBIR explains, “Mobile OS and apps restrict the availability of information often necessary for verifying whether an email or webpage is fraudulent. For instance, many mobile browsers limit users’ ability to assess the quality of a website’s SSL certificate. Likewise, many mobile email apps also limit what aspects of the email header are visible and whether the email-source information is even accessible.

…The final nail is driven in by how people use mobile devices. Users often interact with their mobile devices while walking, talking, driving, and doing all manner of other activities that interfere with their ability to pay careful attention to incoming information.

This caught my eye -- I mean they have a really valid point. I can think of a million scenarios where I’m multi-tasking while doing something on my phone. Walking and texting, cooking dinner and emailing, scrolling Twitter/LinkedIn during a webinar (we’ve all been there). Why haven’t I thought about how at risk I am? I am an IT Risk Professional – this is always top of mind – so I just imagine that this never even crosses the mind of anyone in a non-security role.

Let's apply FAIR analysis

So, I had to take it upon myself and think through how I would run a FAIR analysis over this! First, let’s decompose the problem. If you’re not familiar with FAIR (the model that powers the RiskLens platform),  its sole purpose is to decompose the big question we all ask – how much risk do we have?

First things first – let’s scope it

Every FAIR analysis must include these elements:

Loss Event: How much risk is associated with a breach from an external malicious actor as a result of a phishing attack targeting smartphone users email accounts.

Asset: Email containing sensitive information

Threat: External Malicious Actor

Effect: Confidentiality

To decompose the problem, I start by asking the following questions:

  • How much sensitive data is on an employee’s email? Do they send out sensitive documents containing customer information, Excel files full of PHI or PII, or potentially keys to the kingdom?
  • What is the population of users that has sensitive data on their emails?
  • Do we know our company click rate for phishing emails? If not, can we use industry data like the DBIR?
  • What type of data is within emails and how many records should we be concerned with?

The solution

Time to run a FAIR analysis.  We know from the DBIR that the current click rate is around 3%. I used that as my most likely rate and created a range around it to account for the fact that people are most distracted, multitasking more, and may inadvertently click on a phishing email while on their phone. I also took the phishing emails that actually make into the user accounts--see below for my calculation breakdown:

From there I calculated Vulnerability and the Magnitude for this scenario (see the FAIR model diagram above). Note: FAIR defines Vulnerability differently from general usage in cybersecurity ( learn more about Vulnerability). When it comes to the Magnitude side of the model I estimated that the following forms of loss would come into play: Primary Response, Secondary Response, Secondary Fines & Judgements, and potential for Secondary Reputational Damage.

After entering the data in RiskLens to perform a risk analysis, I got the following results.

The Annualized Loss Exposure tells us that most likely within a given year this will not happen but there is still a chance that it could materialize given our data inputs.

The per event metrics help us understand how often this could potentially happen, based on our inputs and when and if it does happen how much it could cost us. We could expect to see lower losses on the Magnitude side given that they are mobile devices and we would expect there to be fewer records than if we were focusing on a database. I could easily iterate this analysis...

The bottom line is that there are so many ways to break this down and run through the problem. This is just a glance into what happens in my head when I read new information on emerging risks!