How Effective is Anti-Phishing Training for Children?

User training is a commonly used method for preventing victimization from phishing attacks. In this study, we focus on training children, since they are active online but often overlooked in interventions. We present an experiment in which children at Dutch primary schools received an anti-phishing training. The subjects were subsequently tested for their ability to distinguish phishing from non-phishing. A control group was used to control for external effects. Furthermore, the subjects received a re-test after several weeks to measure how well the children retained the training. The training improved the children's overall score by 14%. The improvement was mostly caused by an increased score on the questions where they had to detect phishing. The score on recognizing legitimate emails was not affected by the training. We found that the improved phishing score returned to pre-training levels after four weeks. Conversely, the score of recognition of legitimate emails increased over time. After four weeks, trained pupils scored significantly better in recognizing legitimate emails than their untrained counterparts. Age had a positive effect on the score (i.e., older children scored higher than younger ones); but sex had no significant influence. In conclusion, educating children to improve their ability to detect phishing works in the short term only. However, children go to school regularly, making it easier to educate them than adults. An increased focus on the cybersecurity of children is essential to improve overall cybersecurity in the future.

[1]  Judee K. Burgoon,et al.  Advances in deception detection , 2010 .

[2]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[3]  E. Rutger Leukfeldt,et al.  Phishing for Suitable Targets in The Netherlands: Routine Activity Theory and Phishing Victimization , 2014, Cyberpsychology Behav. Soc. Netw..

[4]  Malcolm Robert Pattinson,et al.  The design of phishing studies: Challenges for researchers , 2015, Comput. Secur..

[5]  Christian A. Meissner,et al.  Does Training Improve the Detection of Deception? A Meta-Analysis , 2016, Commun. Res..

[6]  Timothy R. Levine,et al.  Accuracy in detecting truths and lies: Documenting the “veracity effect” , 1999 .

[7]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[8]  Patrick G. Nyeste,et al.  Training Users to Counteract Phishing , 2010, Work.

[9]  Swapan Purkait,et al.  Information Management & Computer Security Phishing counter measures and their effectiveness – literature review , 2016 .

[10]  L. Haddon,et al.  EU Kids Online: national perspectives , 2012 .

[11]  D. Kahneman Thinking, Fast and Slow , 2011 .

[12]  Lawrence E. Cohen,et al.  Social Change and Crime Rate Trends: A Routine Activity Approach , 1979 .

[13]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[14]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[15]  Malcolm Munro,et al.  An Evaluation of Users' Anti-Phishing Knowledge Retention , 2009, 2009 International Conference on Information Management and Engineering.

[16]  Ibrahim Mohammed A. Alseadoon,et al.  The impact of users' characteristics on their ability to detect phishing emails , 2014 .

[17]  Lois Ann Scheidt,et al.  It’s Complicated: The Social Lives of Networked Teens , 2015, New Media Soc..

[18]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[19]  Jeff Chester,et al.  The new threat of digital marketing. , 2012, Pediatric clinics of North America.

[20]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[21]  Luis de Marcos,et al.  Gamifying learning experiences: Practical implications and outcomes , 2013, Comput. Educ..

[22]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[23]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[24]  Stefan A. Robila,et al.  Don't be a phish: steps in user education , 2006, ITICSE '06.

[25]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[26]  Sandra L. Calvert Children as Consumers: Advertising and Marketing , 2008, The Future of children.

[27]  Pieter H. Hartel,et al.  Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention , 2016, SG-CRC.

[28]  H. Eysenck THINKING , 1958 .

[29]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[30]  P. Slovic Risk-taking in children: Age and sex differences. , 1966 .

[31]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[32]  Alex Tsow Deceit and Deception : A Large User Study of Phishing , 2007 .