Using Cartoons to Teach Internet Security

Abstract While good user education can hardly secure a system, we believe that poor user education can put it at serious risk. The current problem of online fraud is exasperated by the fact that most users make security decisions, such as whether to install a given piece of software or not, based on a very rudimentary understanding of risk. We describe the design principles behind SecurityCartoon.com, the first cartoon-based approach aimed at improving the understanding of risk among typical Internet users. We argue why an approach like ours is likely to produce better long-term effects than currently practiced educational efforts with the same general goals. This belief is based on the apparent difference between our approach and currently used alternatives. At the heart of these differences are the four guiding principles of our approach: (1) A research driven content selection, according to which we select educational messages based on user studies; (2) accessibility of the material, to reach and maintain a large readership; (3) user immersion in the material, based on repetitions on a theme; and (4) adaptability to a changing threat.

[1]  Markus Jakobsson,et al.  Warkitting: The Drive-by Subversion of Wireless Home Routers , 2006, J. Digit. Forensic Pract..

[2]  Michael Arata Preventing Identity Theft For Dummies , 2004 .

[3]  Rob Miller,et al.  Johnny 2: a user test of key continuity management with S/MIME and Outlook Express , 2005, SOUPS '05.

[4]  Markus Jakobsson,et al.  Phishing IQ Tests Measure Fear, Not Ability , 2007, Financial Cryptography.

[5]  Alex Tsow Phishing with Consumer Electronics - Malicious Home Routers , 2006, MTW.

[6]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[7]  M. Migdal,et al.  Reader's digest. , 1997, Journal of the American Dental Association.

[8]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[9]  A. D. Manning,et al.  Understanding Comics: The Invisible Art , 1993 .

[10]  James Boyle,et al.  Bound By Law , 2006 .

[11]  D. R. Danielson,et al.  How do users evaluate the credibility of Web sites?: a study with over 2,500 participants , 2003, DUX '03.

[12]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[13]  Judith M. Collins,et al.  Investigating Identity Theft: A Guide for Businesses, Law Enforcement, and Victims , 2006 .

[14]  BOARD OF GOVERNORS,et al.  TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISORY AND EXAMINATION STAFF AT EACH FEDERAL RESERVE BANK, AND TO BANKING ORGANIZATIONS SUPERVISED BY THE FEDERAL RESERVE SUBJECT: Interagency Guidance on Authentication in an Internet Banking Environment , 2005 .

[15]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[16]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[17]  M. Jakobsson,et al.  Designing and Conducting Phishing Experiments , 2006 .

[18]  Markus Jakobsson,et al.  What Instills Trust? A Qualitative Study of Phishing , 2007, Financial Cryptography.

[19]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[20]  B. J. Fogg,et al.  What makes Web sites credible?: a report on a large quantitative study , 2001, CHI.

[21]  James Boyle,et al.  Tales from the Public Domain: Bound by Law , 2006 .

[22]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[23]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[24]  Markus Jakobsson,et al.  Phishing and Countermeasures , 2006 .

[25]  Markus Jakobsson,et al.  Crimeware: Understanding New Attacks and Defenses (Symantec Press) , 2008 .

[26]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[27]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[28]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[29]  Frank W. Abagnale Stealing Your Life: The Ultimate Identity Theft Prevention Plan , 2007 .

[30]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[31]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .

[32]  JakobssonMarkus,et al.  Using Cartoons to Teach Internet Security , 2008 .