|
 ABSTRACT
PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated the effectiveness of this approach. Here, we extend our previous work with a 515-participant, real-world study in which we focus on long-term retention and the effect of two training messages. We also investigate demographic factors that influence training and general phishing susceptibility. Results of this study show that (1) users trained with PhishGuru retain knowledge even after 28 days; (2) adding a second training message to reinforce the original training decreases the likelihood of people giving information to phishing websites; and (3) training does not decrease users' willingness to click on links in legitimate messages. We found no significant difference between males and females in the tendency to fall for phishing emails both before and after the training. We found that participants in the 18--25 age group were consistently more vulnerable to phishing attacks on all days of the study than older participants. Finally, our exit survey results indicate that most participants enjoyed receiving training during their normal use of email.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
J. R. Anderson and H. A. Simon. Situated learning and education. Educational Researcher, 25:5--11, 1996.
|
| |
2
|
D. B. Buller and J. K. Burgoon. Interpersonal deception theory. Communication Theory, 6(3):203--242, 1996.
|
| |
3
|
J. R. Carlson, J. F. George, J. K. Burgoon, M. Adkins, and C. H. White. Deception in computer-mediated communication. Group Decision and Negotiation, 13(1):5--28, 2004.
|
 |
4
|
|
| |
5
|
E. Ellis, L. Worthington, and M. Larkin. Research synthesis on effective teaching principles and the design of quality tools for educators. Technical report, National center to improve the tools of educators, 1994.
|
| |
6
|
A. J. Ferguson. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly, (1), 2005.
|
| |
7
|
|
| |
8
|
P. Johnson, S. Grazioli, K. Jamal, and G. Berryman. Detecting deception: adversarial problem solving in a low base-rate world. Cognitive Science: A Multidisciplinary Journal, 25(3):355--392, 2001.
|
| |
9
|
Ponnurangam Kumaraguru , Yong Rhee , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Protecting people from phishing: the design and evaluation of an embedded training email system, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA
[doi> 10.1145/1240624.1240760]
|
| |
10
|
Ponnurangam Kumaraguru , Yong Rhee , Steve Sheng , Sharique Hasan , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong, Getting users to pay attention to anti-phishing education: evaluation of retention and transfer, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.70-81, October 04-05, 2007, Pittsburgh, Pennsylvania
[doi> 10.1145/1299015.1299022]
|
| |
11
|
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Under review.
|
| |
12
|
P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong. Lessons from a real world evaluation of anti-phishing training. e-Crime Researchers Summit, Anti-Phishing Working Group, October 2008.
|
| |
13
|
|
| |
14
|
R. C. Miller and M. Wu. Fighting Phishing at the User Interface. O'Reilly, August 2005. In Lorrie Cranor and Simson Garfinkel (Eds.) Security and Usability: Designing Secure Systems that People Can Use.
|
| |
15
|
T. Moore and R. Anderson. How brain type influences online safety. Working paper, July 2008.
|
| |
16
|
R. A. Morin and A. Fernandez Suarez. Risk aversion revisited. Journal of Finance, 38(4):1201--16, September 1983.
|
| |
17
|
New York State Office of Cyber Security&Critical Infrastructure Coordination. Gone phishing.. a briefing on the anti-phishing exercise initiative for new york state government. Aggregate Exercise Results for public release., 2005.
|
| |
18
|
R. A. Schmidt and R. A. Bjork. New conceptualizations of practice: Common principles in three paradigms suggest new concepts for training. Psychological Science, 3(4):207--217, July 1992.
|
| |
19
|
Steve Sheng , Bryant Magnien , Ponnurangam Kumaraguru , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
[doi> 10.1145/1280680.1280692]
|
| |
20
|
E. Spagat. Justice department hoaxes employees. News article, January 2009. http://news.yahoo.com/s/ap/20090129/ap_on_go_ca_st_pe/justice_hoax.
|
| |
21
|
G. Stefano. Where did they go wrong? an analysis of the failure of knowledgeable internet consumers to detect deception over the internet. Group Decision and Negotiation, 13:149--172, March 2004.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
H.1