ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Protecting people from phishing: the design and evaluation of an embedded training email system
Full text PdfPdf (1.16 MB)
Source
Conference on Human Factors in Computing Systems archive
Proceedings of the SIGCHI conference on Human factors in computing systems table of contents
San Jose, California, USA
SESSION: Security table of contents
Pages: 905 - 914  
Year of Publication: 2007
ISBN:978-1-59593-593-9
Authors
Ponnurangam Kumaraguru  Carnegie Mellon University, Pittsburgh, PA
Yong Rhee  Carnegie Mellon University, Pittsburgh, PA
Alessandro Acquisti  Carnegie Mellon University, Pittsburgh, PA
Lorrie Faith Cranor  Carnegie Mellon University, Pittsburgh, PA
Jason Hong  Carnegie Mellon University, Pittsburgh, PA
Elizabeth Nunge  Carnegie Mellon University, Pittsburgh, PA
Sponsors
ACM: Association for Computing Machinery
SIGCHI: ACM Special Interest Group on Computer-Human Interaction
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 39,   Downloads (12 Months): 452,   Citation Count: 7
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1240624.1240760
What is a DOI?

ABSTRACT

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an embedded training email system that teaches people about phishing during their normal use of email. We conducted lab experiments contrasting the effectiveness of standard security notices about phishing with two embedded training designs we developed. We found that embedded training works better than the current practice of sending security notices. We also derived sound design principles for embedded training systems.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Anderson, J. R., A. T. Corbett, K. Koedinger and R. Pelletier. 1995. Cognitive tutors: Lessons learned. The Journal of Learning Sciences, 4, pp. 167--207.
 
2
Anderson, J. R., M. R. Lynne and Herbert A. Simon. 1996. Situated Learning and Education. Educational Researcher. Vo. 25, No. 4, pp. 5--11.
 
3
Anti-Phishing Working Group. Phishing Activity Trends Report. 2006. http://www.antiphishing.org/reports/apwg_report_jan_2006.pdf.
 
4
Anti-Phishing Working group. http://www.antiphishing.org/. Retrieved on Sept 20, 2006.
 
5
Betrancourt, M. and A. Bisseret. 1998. Integrating textual and pictorial information via pop-up windows: an experimental study. Behaviour and Information Technology. Volume 17, Number 5, pp. 263--273(11).
 
6
Clark, R. C. and E. M. Richard. 2002. E-Learning and the science of instruction: proven guidelines for consumers and designers of multimedia learning. Pfeiffer, San Francisco, USA.
7
Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124861]
8
Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073009]
 
9
Drake, C. E., J. J. Oliver and E. J. Koontz. MailFrontier. Anatomy of a Phishing Email. Retrieved Feb 27, 2006, http://www.mailfrontier.com/docs/MF_Phish_Anatomy.pdf.
10
Julie S. Downs , Mandy B. Holbrook , Lorrie Faith Cranor, Decision strategies and susceptibility to phishing, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143131]
 
11
eBay. Spoof Email Tutorial. Retrieved December 30, 2006. http://pages.ebay.com/education/spooftutorial/
 
12
eBay Toolbar. Retrieved December 30, 2006. http://pages.ebay.com/ebay_toolbar/
 
13
Erhel, S. and E. Jamet. 2006. Using pop-up windows to improve multimedia learning. Journal of Computer Assisted Learning, Volume 22, Number 2. pp. 137--147.
 
14
Federal Trade Commission. An E-Card for You game. Retrieved December 30, 2006. http://www.ftc.gov/bcp/conline/ecards/phishing/index.html.
 
15
Federal Trade Commission. Phishing Alerts. Retrieved December 30, 2006. http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
 
16
Ferguson, A. J. 2005. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly. http://www.educause.edu/ir/library/pdf/eqm0517.pdf.
 
17
Fette, I., N. Sadeh and A. Tomasic. Learning to Detect Phishing Emails. June 2006. ISRI Technical report, CMU-ISRI-06-112. http://reports-archive.adm.cs.cmu.edu/anon/isri2006/CMU-ISRI-06-112.pdf.
 
18
Jagatic, T.,N. Johnson, M. Jakobsson and F. Menczer. Social Phishing. To appear in the Communications of the ACM. Retrieved March 7, 2006, http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf.
19
Markus Jakobsson , Jacob Ratkiewicz, Designing ethical phishing experiments: a study of (ROT13) rOnl query features, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland  [doi>10.1145/1135777.1135853]
 
20
Lance James, Phishing Exposed, Syngress Publishing, 2005
 
21
Kumaraguru, P., A. Acquisti and L. Cranor. 2006. Trust modeling for online transactions: A phishing scenario. Proceedings of Privacy Security Trust, Oct 30-Nov 1, 2006, Ontario, Canada.
 
22
Rachael Lininger , Russell Dean Vines, Phishing: Cutting the Identity Theft Line, John Wiley & Sons, 2005
 
23
Mail Frontier. Phishing IQ. http://survey.mailfrontier.com/survey/quiztest.html. Retrieved Sept 20, 2006.
 
24
Richard E. Mayer, Multimedia Learning, Cambridge University Press, New York, NY, 2001
 
25
Mayer, R.E. and R. B. Anderson. 1991 Animations Need Narrations: An Experimental Test of a Dual Coding Hypothesis. Journal of Educational Psychology. Volume 83, Number 4. pp. 484--490.
 
26
Microsoft. Consumer Awareness Page on Phishing. Retrieved September 10, 2006. http://www.microsoft.com/athome/security/email/phishing.mspx.
 
27
Miller, R. C. and M. Wu. 2005. Fighting Phishing at the User Interface, In Lorrie Cranor and Simson Garfinkel (Eds.) Security and Usability: Designing Secure Systems that People Can Use. O'Reilly.
 
28
Netcraft. Retrieved September 10, 2006. http://news.netcraft.com/
 
29
New York State Office of Cyber Security & Critical Infrastructure Coordination. 2005. Gone Phishing& A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. Aggregate Exercise Results for public release.
 
30
Richmond, R. Hackers set up attacks on home PCs, financial firms: study. Retrieved September 25, 2006. http://www.marketwatch.com/News/Story/Story.aspx?dist=newsfinder&siteid=google&guid=%7B92615073-95B6-452E-A3B9-569BEACF91E8%7D&keyword=
31
Stefan A. Robila , James W. Ragucci, Don't be a phish: steps in user education, Proceedings of the 11th annual SIGCSE conference on Innovation and technology in computer science education, June 26-28, 2006, Bologna, Italy
 
32
Schmeck, R. R. (Ed) 1988. Learning styles and strategies. New York: Plenum Press.
 
33
Schneier, B. 2000. Semantic Attacks: The Third Wave of Network Attacks. Crypto-Gram Newsletter. Retrieved Sep 2, 2006, http://www.schneier.com/crypto-gram-0010.html#1.
 
34
SpamAssasin. Retrieved September 10, 2006. http://spamassassin.apache.org/
 
35
SpoofGuard. Retrieved September 10, 2006, http://crypto.stanford.edu/SpoofGuard/
 
36
SpoofStick. Retrieved September 10, 2006. http://www.spoofstick.com/
 
37
SquirrelMail. Retrieved September 10, 2006. http://www.squirrelmail.org/
38
Min Wu , Robert C. Miller , Simson L. Garfinkel, Do security toolbars actually prevent phishing attacks?, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124863]
 
39
Zishuang (Eileen) Ye , Sean Smith, Trusted Paths for Browsers, Proceedings of the 11th USENIX Security Symposium, p.263-279, August 05-09, 2002
 
40
Zhang, Y., S. Egelman, L. Cranor, and J. Hong. 2007. Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28 February--2 March, 2007.

CITED BY  7
Steve Sheng , Bryant Magnien , Ponnurangam Kumaraguru , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
Julie S. Downs , Mandy Holbrook , Lorrie Faith Cranor, Behavioral response to phishing risk, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.37-44, October 04-05, 2007, Pittsburgh, Pennsylvania
José Carlos Brustoloni , Ricardo Villamarín-Salomón, Improving security decisions with polymorphic and audited dialogs, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
Yue Zhang , Jason I. Hong , Lorrie F. Cranor, Cantina: a content-based approach to detecting phishing web sites, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
Serge Egelman , Lorrie Faith Cranor , Jason Hong, You've been warned: an empirical study of the effectiveness of web browser phishing warnings, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
Ponnurangam Kumaraguru , Yong Rhee , Steve Sheng , Sharique Hasan , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong, Getting users to pay attention to anti-phishing education: evaluation of retention and transfer, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.70-81, October 04-05, 2007, Pittsburgh, Pennsylvania
Ponnurangam Kumaraguru , Justin Cranshaw , Alessandro Acquisti , Lorrie Cranor , Jason Hong , Mary Ann Blair , Theodore Pham, School of phish: a real-world evaluation of anti-phishing training, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection

Additional Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)


General Terms:
Human Factors


Keywords:
email, embedded training, phishing, situated learning, usable privacy and security

Collaborative Colleagues:
Ponnurangam Kumaraguru: colleagues
Yong Rhee: colleagues
Alessandro Acquisti: colleagues
Lorrie Faith Cranor: colleagues
Jason Hong: colleagues
Elizabeth Nunge: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player