Phishing is one of the dangerous threats to organisations. A sender of a phishing e-mail pretends to be a trusted person or a system in order to steal valuable information including personal identity data and credentials. In order to deal with this problem, many organisations have implemented an anti-phishing training. However, the outsourcing of an anti-phishing training requires a high cost. Additionally, many anti-phishing training systems provided by vendors save sensitive data such as e-mail addresses and names of trainees to public servers for an anti-phishing training. This architecture has a problem that attacking these public servers increases for the risk of information leakage about trainees. Therefore, this paper proposes an anti-phishing training system which does not save sensitive data such as an e-mail address and a name of trainees to public servers, and it is implementable at a low cost. This proposed system saves sensitive data to a trainer's local computer instead of public servers. A sensitive data saved on a trainer's local computer and trainees' access log data on public servers are associated with a pseudonym generated via pseudonymisation technique. Thus, if attackers try to steal trainees' sensitive data via the Internet, it becomes difficult for attackers by deleting sensitive data on a trainer's local computer.
[1]
Lina Zhou,et al.
Phishing environments, techniques, and countermeasures: A survey
,
2017,
Comput. Secur..
[2]
Melad Mohamed Al-Daeef,et al.
Security Awareness Training: A Review
,
2016
.
[3]
A. Pfitzmann,et al.
A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management
,
2010
.
[4]
Jules J. Berman,et al.
Ruby: The Programming Language
,
2008
.
[5]
2018 Phishing By Industry Benchmarking Report
,
2018
.