In a recent Wall Street Journal interview, Adm. Mike Rogers, the Director of the NSA, suggested that people who fall for spearphishing attacks, such as the four people who compromised the Joint Staff, should be subject to court-martial.
He drew this analogy:
If someone had said to me, “Hey, it’s lonely on post. It’s the middle of the night out in the middle of nowhere. I just pulled my gun out because I wanted to quick draw,” we would never accept that. So why are we willing to accept this kind of behavior in the cyberworld?
The problem with this analogy is that it makes a lot of unstated assumptions about human behavior in order to reach the conclusion that being deceived by an email is the same thing as carelessly playing with a weapon. As we observed in our paper, Combat ID in Cyberspace, it is easy to apply the tools of psychology to email for the purpose of deception. Users need a tool to detect deceptive emails. That tool is SP Guard from Iconix.