One Phish, Two Phish, How to Avoid the Internet Phish

Phishing is a social engineering tactic that targets internet users in an attempt to trick them into divulging personal information. When opening an email, users are faced with the decision of determining if an email is legitimate or an attempt at phishing. Although software has been developed to assist the user, studies have shown they are not foolproof, leaving the user vulnerable. Multiple training programs have been developed to educate users in their efforts to make informed decisions; however, training that conveys the real world consequences of phishing or training that increases a user’s fear level have not been developed. Conveying real world consequences of a situation and increasing a user’s fear level have been proven to enhance the effects of training in other fields. Ninety-six participants were recruited and randomly assigned to training programs with phishing consequences, training programs designed to increase fear, or a control group. Preliminary results indicate that training helped users identify phishing emails; however, little difference was seen among the three groups. Future analysis will include a factor analysis of personality and individual differences that influence training efficacy.

[1]  Jefferson B. Hardee,et al.  The Weakest Link: A Psychological Perspective on Why Users Make Poor Security Decisions , 2009 .

[2]  Patrick G. Nyeste,et al.  Training Users to Counteract Phishing , 2010, Work.

[3]  Markus Jakobsson,et al.  Phishing IQ Tests Measure Fear, Not Ability , 2007, Financial Cryptography.

[4]  R. Sharman,et al.  Social and Human Elements of Information Security: Emerging Trends and Countermeasures , 2008 .

[5]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[6]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[7]  Elizabeth Sillence,et al.  It won't happen to me: Promoting secure behaviour among internet users , 2010, Comput. Hum. Behav..

[8]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[9]  Tara S. Behrend,et al.  The viability of crowdsourcing for survey research , 2011, Behavior research methods.

[10]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[11]  Malcolm Munro,et al.  An Anti-Phishing Approach that Uses Training Intervention for Phishing Websites Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[12]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[13]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[14]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[15]  M. Feldstein,et al.  Behavioral Response , 1996 .

[16]  Malcolm Munro,et al.  An evaluation of users’ tips effectiveness for Phishing websites detection , 2008, 2008 Third International Conference on Digital Information Management.

[17]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[18]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[19]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.