A Phish Scale: Rating Human Phishing Message Detection Difficulty

Steves, Michelle P.; Greene, Kristen; Theofanos, Mary F.

doi:10.14722/usec.2019.23028

Cited by 20 publications

(14 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“… 36 , 37 More work is required to understand the relative persuasiveness of different targeted messages as well as the relative difficulty in detection. 42 …”

Section: Discussion and Lessons Learntmentioning

confidence: 99%

Phishing simulation exercise in a large hospital: A case study

et al. 2022

View full text Add to dashboard Cite

Background Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message. Method A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one. Results The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization. Conclusions Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals.

show abstract

“… 36 , 37 More work is required to understand the relative persuasiveness of different targeted messages as well as the relative difficulty in detection. 42 …”

Section: Discussion and Lessons Learntmentioning

confidence: 99%

Phishing simulation exercise in a large hospital: A case study

et al. 2022

View full text Add to dashboard Cite

show abstract

“…e literature [22] focuses more on the human impact on the phishing emails. Steves et al [23] built the previous research to construct a phishing scale, which is a phishing tool that utilizes premise to its information retrieval. e former analyzes the user's area of interest in phishing messages, and the latter indicates the attack elements contained in phishing attacks.…”

Section: Related Researchmentioning

confidence: 99%

Predicting User Susceptibility to Phishing Based on Multidimensional Features

Yang

Zheng

et al. 2022

Computational Intelligence and Neuroscience

View full text Add to dashboard Cite

While antiphishing techniques have evolved over the years, phishing remains one of the most threatening attacks on current network security. This is because phishing exploits one of the weakest links in a network system—people. The purpose of this research is to predict the possible phishing victims. In this study, we propose the multidimensional phishing susceptibility prediction model (MPSPM) to implement the prediction of user phishing susceptibility. We constructed two types of emails: legitimate emails and phishing emails. We gathered 1105 volunteers to join our experiment by recruiting volunteers. We sent these emails to volunteers and collected their demographic, personality, knowledge experience, security behavior, and cognitive processes by means of a questionnaire. We then applied 7 supervised learning methods to classify these volunteers into two categories using multidimensional features: susceptible and nonsusceptible. The experimental results indicated that some machine learning methods have high accuracy in predicting user phishing susceptibility, with a maximum accuracy rate of 89.04%. We conclude our study with a discussion of our findings and their future implications.

show abstract

“…If controls focus on how employees treat URLs in emails, some staff may find it more difficult than others to identify particular kinds of malicious email [99]. A reporting point for malicious emails can then be valuable, or support for when staff are uncertain.…”

Section: Step 3 Identifying Linkages Between Negative and Positive Be...mentioning

confidence: 99%

A cyber-risk framework for coordination of the prevention and preservation of behaviours1

Parkin

Chua

2022

JCS

View full text Add to dashboard Cite

Cybersecurity controls are deployed to manage risks posed by malicious behaviours or systems. What is not often considered or articulated is how cybersecurity controls may impact legitimate users (often those whose use of a managed system needs to be protected, and preserved). This oversight characterises the ‘blunt’ nature of many cybersecurity controls. Here we present a framework produced from consideration of concerns across methods from cybercrime opportunity reduction and behaviour change, and existing risk management guidelines. We illustrate the framework and its principles with a range of examples and potential applications, including management of suspicious emails in organizations, and social media controls. The framework describes a capacity to improve the precision of cybersecurity controls by examining shared determinants of negative and positive behaviours in a system. This identifies opportunities for risk owners to better protect legitimate users while simultaneously acting to prevent malicious activity in a managed system. We describe capabilities for a novel approach to managing sociotechnical cyber risk which can be integrated alongside elements of typical risk management processes. This includes consideration of user activities as a system asset to protect, and a consideration of how to engage with other stakeholders in the identification of behaviours to preserve in a system.

show abstract

A Phish Scale: Rating Human Phishing Message Detection Difficulty

Cited by 20 publications

References 27 publications

Phishing simulation exercise in a large hospital: A case study

Phishing simulation exercise in a large hospital: A case study

Predicting User Susceptibility to Phishing Based on Multidimensional Features

A cyber-risk framework for coordination of the prevention and preservation of behaviours1

Contact Info

Product

Resources

About