Lessons from a real world evaluation of anti-phishing training

Prior laboratory studies have shown that PhishGuru, an embedded training system, is an effective way to teach users to identify phishing scams. PhishGuru users are sent simulated phishing attacks and trained after they fall for the attacks. In this current study, we extend the PhishGuru methodology to train users about spear phishing and test it in a real world setting with employees of a Portuguese company. Our results demonstrate that the findings of PhishGuru laboratory studies do indeed hold up in a real world deployment. Specifically, the results from the field study showed that a large percentage of people who clicked on links in simulated emails proceeded to give some form of personal information to fake phishing websites, and that participants who received PhishGuru training were significantly less likely to fall for subsequent simulated phishing attacks one week later. This paper also presents some additional new findings. First, people trained with spear phishing training material did not make better decisions in identifying spear phishing emails compared to people trained with generic training material. Second, we observed that PhishGuru training could be effective in training other people in the organization who did not receive training messages directly from the system. Third, we also observed that employees in technical jobs were not different from employees with non-technical jobs in identifying phishing emails before and after the training. We conclude with some lessons that we learned in conducting the real world study.

[1]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[2]  R. Burt Social Contagion and Innovation: Cohesion versus Structural Equivalence , 1987, American Journal of Sociology.

[3]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  David A. Wagner,et al.  A User Study Design for Comparing the Security of Registration Protocols , 2008, UPSEC.

[5]  David Richard Moore,et al.  E-Learning and the Science of Instruction: Proven Guidelines for Consumers and Designers of Multimedia Learning , 2006 .

[6]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[7]  Vincent Aleven,et al.  Worked Examples and Tutored Problem Solving: Redundant or Synergistic Forms of Support? , 2009, Top. Cogn. Sci..

[8]  Lorrie Faith Cranor,et al.  Trust modelling for online transactions: a phishing scenario , 2006, PST.

[9]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[10]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[11]  G. Larcom,et al.  Gone phishing , 2006 .

[12]  A. J. Ferguson Fostering E-Mail Security Awareness: The West Point Carronade , 2005 .

[13]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[14]  Stefan A. Robila,et al.  Don't be a phish: steps in user education , 2006, ITICSE '06.

[15]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[16]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[17]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[18]  Mark Wilson,et al.  SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .

[19]  Markus Jakobsson,et al.  Phishing IQ Tests Measure Fear, Not Ability , 2007, Financial Cryptography.

[20]  Paola Salomoni,et al.  Proceedings of the 11th Annual SIGCSE Conference on Innovation and Technology in Computer Science Education, ITiCSE 2006, Bologna, Italy, June 26-28, 2006 , 2006, ITiCSE.

[21]  M. Brewer,et al.  Research Design and Issues of Validity , 2000 .

[22]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.