Skip to content

icon picker
PRD: Phishing Education Suite


(Same as Concept Brief)
From a security perspective, people are the weakest link within an organization: they are prone to social engineering, phishing attacks, distractions, and mistakes. Automated systems such as Abnormal try to provide a robust defense against these types of attacks, but email security is an ongoing game of cat and mouse between attackers and security systems and there is never a guarantee of 100% coverage.
Because of the adversarial nature of security, it is inevitable that some novel attacks will bypass Abnormal’s algorithms and appear in employee inboxes. However, most employees have no idea they are susceptible to these kinds of attacks and have little to no formal training in identifying, reporting, or mitigating these types of attacks.[0]

The Problem

(Same as Concept Brief)
85% of business cybersecurity breaches last year went through a human, often through social engineering or impersonation.[1] This isn’t particularly surprising considering that only 20% of organizations administer any form of phishing training.[2] The average data breach costs an organization upwards of $4MM.[2]
Lack of basic email security training for employees presents an enormous liability for companies of all sizes: if the people responsible for sensitive information and finances are not actively looking out for threats, they become an ineffective last line of defense. This is a critical issue because in the long-run there will always be threats that bypass algorithmic security solutions and prey on human nature.

Competitive Landscape

Spending on cybersecurity awareness training is poised to hit $10B by 2027 and growing 13% YoY. [5]
KnowBe4, a decade old tech company whose core offering is cybersecurity awareness training, has a market cap of $3.3B and annual revenues exceeding $60M.
KnowBe4 is the main incumbent in the space, with several competitors having both a cloud security offering as well as security awareness training, including Proofpoint ($10B market cap), Mimecast ($5.2B market cap), and Cofense, which was bought by a PE firm in 2018 for $400M.
All the existing players in the space are old and innovate slowly. Additionally, email security awareness is an offering that is tightly coupled with cloud security solutions. Why would Proofpoint let KnowBe4’s educational phishing attempt through when they can have their own native solution?[6]
Thus, competitors aren’t a major concern for this product offering.


(Same as Concept Brief)
There are 2 objectives with this product:
Abnormal clients have a goal of improving their security postures for their organizations and its employees. The goal of the Phishing Education Suite is to train employees to effectively identify and avoid email threats. We want to build employee confidence when it comes to email security, encourage communication with SO teams, and establish habits that mitigate phishing attacks.
Abnormal’s goal through the Phishing Education Suite is to drive additional value for existing customers to increase net dollar retention by increasing upsells and decreasing churn.

Success Criteria

(Same as Concept Brief)
External KPIs (what makes the clients successful):
A high organizational ESS*
A consistently increasing organizational avg ESS
A consistently increasing organizational minimum ESS
*Exact numbers for successful ESS scores will be discovered as we get more data from clients.
Success for the client means an increase in awareness and responsiveness from their team on various email security threats. Our client’s SO teams should feel empowered and confident that their coworkers are consistently improving.
Internal KPIs (what makes this product successful):
An increase in net dollar retention as a result of:
An adoption rate of >30% in the first month of launch
An adoption rate of >70% in the first 6 months after launch
A decrease in MoM churn in customers who’ve activated this product

Ideation Clients

These are clients that we’ve heard first-hand want to be involved in the ideation and iteration of this product. Fox News mentioned that they really wanted a teaching component to Abnormals product where their employees could become better at identifying and avoiding email threats.[4] Fox would be a great partner to bounce ideas off of and trial early versions of the product with.

Requirements and Initial Scoping

Risks and Questions

Human Risks:
Emails get through that are poorly sanitized, causing either NSFW content to appear in inboxes, or worst case scenario, exposing customers to legitimate email threats. To mitigate this, Abnormal must have a high confidence that they have sanitized the emails properly, maybe even doing manual reviews initially.
Employees get annoyed that phishing emails are now showing up in their inboxes.To mitigate this risk, employees may be notified at the beginning of a testing period to let them know that some emails are coming through. However, this could skew ESS scores because employees would have gotten a heads up, so we’ll cross this bridge when we get there.

Technical Ambiguities:
If all existing organizations start using this simultaneously, it is possible the number of PE emails sent monthly will be 10s of millions. The accompanying microservices will need to be highly scalable and cost efficient.
How can we allow these emails to arrive in the inbox and bypass any existing SEGs as well as Abnormal’s algorithms?

General Questions:
What is the best way to educate an employee about phishing threats? Is it during moments of high emotion? Is it within their daily workflow or outside of it?


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
) instead.