Cyber security is often thought of as a defensive exercise. It is often thought in terms of preventing threats gaining access however in considering malicious emails I wonder whether there might be a slightly different way to think about it.
My concern is this; If in our cyber defence we do a really good job and prevent malicious emails, such as the all too common phishing email getting through, then we could potentially create a work force who are unfamiliar with phishing emails. Our defences may create a situation such than when a phishing email eventually does get through, and this is pretty much guaranteed, the recipients are ill prepared to identify it as malicious and respond to it accordingly. Our defences create a more vulnerable user base. I also would suggest that an expectation of 100% successful filtering if naïve; Our filtering solutions are simply not that good combined with the fact cyber criminals are constantly adjusting their approach to bypass common filtering solutions and approaches.
Now to be clear, I am not proposing no defence against malicious emails. What I am suggesting is that having filtering which is at least slightly porous, allowing some malicious emails through may be preferable in developing users who are more aware.
I suspect some may argue that awareness is developed by training and awareness campaigns, etc, however I would suggest that these are all proxies for exposure to the real thing, and for learning to deal with the real thing. Again, I am not saying that we shouldnt have any awareness training, in fact I am a firm believe in the critical importance of awareness training, I am simply suggesting that training is not as effective as real life events.
The challenge with the above is the level of porosity. As I suggest, not porous enough and the user base may be ill prepared however equally defences which are overly porous will simply expose users to a great volume of risk through a greater volume of malicious emails. Once again the challenge relates to achieving balance and to managing risk.