Protecting people from phishing: the design and evaluation of an embedded training email system

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an embedded training email system that teaches people about phishing during their normal use of email. We conducted lab experiments contrasting the effectiveness of standard security notices about phishing with two embedded training designs we developed. We found that embedded training works better than the current practice of sending security notices. We also derived sound design principles for embedded training systems.

[1]  D. Ridley,et al.  Cape Town, South Africa , 1986, Journal of clinical ultrasound : JCU.

[2]  Joan K. Gallini,et al.  When Is an Illustration Worth Ten Thousand Words , 1990 .

[3]  R. Mayer,et al.  Animations need narrations : an experimental test of a dual-coding hypothesis , 1991 .

[4]  John R. Anderson,et al.  Cognitive Tutors: Lessons Learned , 1995 .

[5]  H. Simon,et al.  Situated Learning and Education1 , 1996 .

[6]  Harvey F. Silver,et al.  Learning Styles and Strategies , 1996 .

[7]  Mireille Bétrancourt,et al.  Integrating textual and pictorial information via pop-up windows: An experimental study , 1998, Behav. Inf. Technol..

[8]  R. Mayer,et al.  Multimedia Learning: The Promise of Multimedia Learning , 2001 .

[9]  Richard E. Mayer,et al.  Multimedia Learning , 2001, Visible Learning Guide to Student Achievement.

[10]  Dan Boneh,et al.  Proceedings of the 11th USENIX Security Symposium , 2002 .

[11]  Jonathan J. Oliver,et al.  Anatomy of a Phishing Email , 2004, CEAS.

[12]  M.J. Cobb,et al.  Building a University-wide Automated Information Assurance Awareness Exercise , 2005, Proceedings Frontiers in Education 35th Annual Conference.

[13]  A. J. Ferguson Fostering E-Mail Security Awareness: The West Point Carronade , 2005 .

[14]  Russell Dean Vines,et al.  Phishing: Cutting the Identity Theft Line , 2005 .

[15]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[16]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[17]  Marianne Loock,et al.  Characteristics and responsibilities involved in a Phishing attack , 2005 .

[18]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[19]  Lance James,et al.  Phishing exposed , 2005 .

[20]  Eric Jamet,et al.  Using pop-up windows to improve multimedia learning , 2006, J. Comput. Assist. Learn..

[21]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[22]  Lorrie Faith Cranor,et al.  Phinding Phish: Evaluating Anti-Phishing Tools , 2006 .

[23]  Lorrie Faith Cranor,et al.  Trust modelling for online transactions: a phishing scenario , 2006, PST.

[24]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[25]  David Richard Moore,et al.  E-Learning and the Science of Instruction: Proven Guidelines for Consumers and Designers of Multimedia Learning , 2006 .

[26]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[27]  Stefan A. Robila,et al.  Don't be a phish: steps in user education , 2006, ITICSE '06.

[28]  Min Wu Fighting phishing at the user interface , 2006 .

[29]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[30]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[31]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.