An article in the Educause Quarterly back in 2005 that discussed the West Point Carronade provides one of the best examples of the need for automated systems to monitor content that is sent through e-mail.
At the beginning of each semester, cadets at the U.S. military academy at West Point receive four hours of classroom instruction in information assurance and network security. The goal is to make cadets aware of the critical need to maintain good security practices when using e-mail and other network resources.
However, the academy felt that it needed to improve e-mail security awareness, despite the fact that the National Security Agency has classified it as a Center of Academic Excellence in Information Assurance Education.
West Point decided to test the effectiveness of its training using a group of 512 cadets who were randomly selected to participate in an exercise. The exercise consisted of a bogus e-mail sent to each cadet a few weeks before the end of the semester. The e-mail, sent by a fictitious colonel with an office location that does not exist, told the cadets that there was a problem with their grade report and asked them to click on a hyperlink in order to take further action. The hypothesis was that three-quarters of the cadets would click on the hyperlink.
The result? 80% of the cadets clicked on the link (90% of the freshmen in the exercise did so).
As I see it, there are two important takeaways from this exercise. First, no reasonable amount of training will prevent inadvertent errors or lapses in judgments if employees are faced with a well-constructed and logical e-mail that turns out to be a phishing attack. To provide enough training to prevent the majority of employees from clicking on a link such as the one in the example above would rob an organization of a great deal of productive work that employees might otherwise generate.
Second, there is a critical need for automated systems that can prevent inbound threats from entering the network in the first place – for those threats that do make it through, automated outbound filtering systems need to be in place to catch employees clicking on bogus links, sending sensitive information, etc.