Cryptolocker spreads with a really stupid email message, and an attachment you have to extract and then execute. You have to be incredibly technically inept to get hit with it.
So lets say you have to be so inept with computers that literally 98% of the population is more competent on them than you. If you hire 40 people, you have a better than 50% chance of getting someone that inept.
This is only true if your hiring method is "select people at random and draft them into working for you". Suppose I chose any 40 people who were currently developing software for Microsoft. What are my chances of getting one person among those who is at or below the 2nd percentile of computer literacy?
Followup questions:
How does Microsoft avoid hiring people below the 2nd percentile in computer literacy? They have way more than 50 developers.
Should the police force screen applicants in any way?
Is using a computer part of a police officer's job?
Are the police even able to compel randomly-chosen people to work for them? If not, the premise of your numbers is fatally flawed.
it's true, my numbers are flawed. Though I would ask, flawed in what way?
Is it more or less likely? The police don't hire on technical skill, presumably people of high skill in this area end up in different careers?
The accuracy of the numbers is, frankly, unimportant. What I was illustrating was the multiplicative effect, which remains relevant. I freely admit the numbers themselves were made up.
Well, you're right about how independent probabilities combine. But the situation you describe has so little relationship to hiring that I don't see how it's relevant to anything. In general, I don't expect to see someone at the 2nd percentile of ability holding down a job at all. Even very basic screening will keep them away with great reliability, because they're so far out of the norm. So I don't see this as a case of "sure, I made up figures that might be off by a factor of 10-100", I see this as you describing a situation utterly unrelated to any aspect of reality I'm familiar with. You can't just make some numeric tweaks to the model; the whole thing is fundamentally at odds with what you're trying to describe.
But if it were true, phishing would be largely a nonissue for workforces (other than the police, who often do set ultra-low thresholds for their screening).
>But if it were true, phishing would be largely a nonissue for workforces (other than the police, who often do set ultra-low thresholds for their screening).
I think you and I are on the same page.
I am curious on why you think I'm off the mark, even if people under the 2nd percentile are less likely to get hired, it doesn't really change the math, it's the same as saying: "but it's only people under the first percentile!"
Side note: I feel that 150 million people are employable in professions that don't require a competency with computers. At the very least I'm grateful that same property doesn't apply to carpentry or construction. As I'm easily in the first percentile for these trades, I'd NEVER get a job. I can't even hang a picture! Why does it always go wrong? T.T
I thought it was spreading with HMRC notices and fake invoice corrections?
The ones I've seen are pretty good, all the lingo is correct. They're pushing all the right buttons in the email which would immediately get an accountant or business owner to open it immediately to find out what was wrong.
The only obvious warning sign is the zip attachment.
Compression can obfuscate the virus from being easy to detect and therefore is more likely to arrive at its destination. There are tricks which can crash anti-virus applications that try to open specially crafted zips once it is on the user's computer.
Training would ideally involve the organization testing by spearphishing their own employees internally like a lot of security companies often do:
http://www.darkreading.com/end-user/how-lockheed-martin-phis...