An RPA-powered Simulated Phishing Campaign Solution for Assessing Human Susceptibility

Abstract

The rise of social engineering attacks continues to pose a significant threat to individuals and organizations. In recent years, research has focused not only on developing effective cybersecurity defense strategies and mitigation approaches, but also on assessing an individual’s awareness of and susceptibility to such attack scenarios. Several approaches have been used, ranging from traditional methods, such as questionnaires designed to evaluate cybersecurity risky behavior and susceptibility to persuasion, which constitute a rather more static way to assess human susceptibility, to more contemporary practices, such as Simulated Social Engineering Campaigns, involving Phishing Campaigns and similar techniques. Simulated Phishing Campaigns offer the advantage of proactively identifying human-related susceptibility to phishing in a realistic manner, hence aiding in the prevention of real-world cyberattacks before they occur. However, more often than not, they require human intervention, which can be time- and cost-consuming as well as prone to error. This paper proposes the use of Robotic Process Automation (RPA) to automate Simulated Phishing Campaigns and, thus, enhance their efficiency and effectiveness. The proposed solution includes a user interface and back-end logic that automates the process of sending phishing emails and enumerates recipients’ interactions aiming at assessing phishing awareness. Furthermore, the proposed system is designed to be able to, eventually, also include the result of a persuasion susceptibility assessment with the aim to combine human vulnerability assessment approaches, co-present their results, and draw a more complete picture regarding an individual’s vulnerability. To assess the proposed system, a realistic use case scenario was employed to conduct an experiment in a lab environment demonstrating the potential offered by RPA technology in automating Simulated Phishing Campaigns and thus enhancing phishing awareness assessment strategies.