Phishing IQ Tests Measure Fear, Not Ability

Anandpara, Vivek; Dingman, Andrew; Jakobsson, Markus; Liu, Debin; Roinestad, Heather

doi:10.1007/978-3-540-77366-5_33

Cited by 42 publications

(18 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Interview studies have been conducted to gain insights into users' mental models and decision processes [7,18]. Laboratory experimental studies where participants played a fictitious role and used personal information associated with that role have been used to test users' susceptibility to phishing attacks and evaluate the effectiveness of anti-phishing toolbars and training materials [2,6,14,19,20,21,31]. Laboratory experimental studies where participants used their own credentials have been used to evaluate the effectiveness of mutual authentication tools [30].…”

Section: User Study Methodsmentioning

confidence: 99%

Lessons from a real world evaluation of anti-phishing training

Kumaraguru

Sheng

Acquisti

et al. 2008

2008 eCrime Researchers Summit

120

146

View full text Add to dashboard Cite

Prior laboratory studies have shown that PhishGuru, an embedded training system, is an effective way to teach users to identify phishing scams. PhishGuru users are sent simulated phishing attacks and trained after they fall for the attacks. In this current study, we extend the PhishGuru methodology to train users about spear phishing and test it in a real world setting with employees of a Portuguese company. Our results demonstrate that the findings of PhishGuru laboratory studies do indeed hold up in a real world deployment. Specifically, the results from the field study showed that a large percentage of people who clicked on links in simulated emails proceeded to give some form of personal information to fake phishing websites, and that participants who received PhishGuru training were significantly less likely to fall for subsequent simulated phishing attacks one week later. This paper presents some additional new findings. First, people trained with spear phishing training material did not make better decisions in identifying spear phishing emails compared to people trained with generic training material. Second, we observed that PhishGuru training could be effective in training other people in the organization who did not receive training messages directly from the system. Third, we also observed that employees in technical jobs were not different from employees with nontechnical jobs in identifying phishing emails before and after the training. We conclude with some lessons that we learned in conducting the real world study.

show abstract

Section: User Study Methodsmentioning

confidence: 99%

Lessons from a real world evaluation of anti-phishing training

Kumaraguru

Sheng

Acquisti

et al. 2008

2008 eCrime Researchers Summit

120

146

View full text Add to dashboard Cite

show abstract

“…Others have commented that education is not a feasible solution for phishing and other security attacks because security education "puts the burden on the wrong shoulder" [Nielsen 2004] and security is a secondary goal for users [Evers 2006]. Furthermore, evaluations of some security-related educational materials have found these materials to be ineffective [Anandpara et al 2007;Jackson et al 2007]. In general, we found that existing online anti-phishing training materials tend to make users more cautious about opening and acting upon email, but do not teach people how to determine whether a website or email is fradulent (See Section 4).…”

Section: Training Users Not To Fall For Attacksmentioning

confidence: 99%

“…Users are scored based on how well they can identify which emails are legitimate and which are not. However, while this approach raises awareness about phishing, a user study found that it is not an effective training method [Anandpara et al 2007]. Nonetheless, the idea of integrating self tests with other anti-phishing training materials warrants further examination.…”

Section: Training Users Not To Fall For Attacksmentioning

confidence: 99%

Teaching Johnny not to fall for phish

Kumaraguru

Sheng

Acquisti

et al. 2010

ACM Trans. Internet Technol.

282

226

View full text Add to dashboard Cite

Phishing attacks, in which criminals lure Internet users to websites that spoof legitimate websites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the phishing problem by prevention and detection of phishing emails and phishing websites, little research has been done in the area of training users to recognize those attacks. Our research focuses on educating users about phishing and helping them make better trust decisions. We identified a number of challenges for end-user security education in general and anti-phishing education in particular: users are not motivated to learn about security; for most users, security is a secondary task; it is difficult to teach people to identify security threats without also increasing their tendency to misjudge non-threats as threats. Keeping these challenges in mind, we developed an email-based anti-phishing education system called "PhishGuru" and an online game called "Anti-Phishing Phil" that teaches users how to use cues in URLs to avoid falling for phishing attacks. We applied learning science instructional principles in the design of PhishGuru and Anti-Phishing Phil. In this paper we present the results of PhishGuru and Anti-Phishing Phil user studies that demonstrate the effectiveness of these tools. Our results suggest that, while automated detection systems should be used as the first line of defense against phishing attacks, user education offers a complementary approach to help people better recognize fraudulent emails and websites.

show abstract

“…Typical users know to an even lesser extent that it may be clicked to display a certificate containing information about the purported identity of the website, along with information on the identity of the authority which is vouching for its identity. 1 The result is that when users visit phishing sites, the lack of appropriate cryptographic authentication is not noticed, and users tend to rely on indicators that they have come to trust in the non-digital world, such as the presence of brand logos and other look-and-feel branding intangibles, regardless of how inapplicable these indicators are as authenticators in the digital realm. A further, or more detailed explanation of the general phishing problem is beyond the scope of the current presentation, but interested readers are directed to [28] for comprehensive coverage of the issue.…”

Section: Why Phishing Workmentioning

confidence: 99%

Delayed password disclosure

Jakobsson

Myers

2007

SIGACT News

Self Cite

View full text Add to dashboard Cite

The Distributed Computing Column covers the theory of systems that are composed of a number of interacting computing elements. These include problems of communication and networking, databases, distributed shared memory, multiprocessor architectures, operating systems, verification, Internet, and the Web. This issue consists of:• "Delayed Password Disclosure," by Markus Jakobsson and Steven Myers.Many thanks to them for their contribution to this issue. Request for Collaborations:Please send me any suggestions for material I should be including in this column, including news and communications, open problems, and authors willing to write a guest column or to review an event related to theory of distributed computing. Delayed Password Disclosure Markus Jakobsson and Steven MyersSchool of Informatics Indiana University at Bloomington AbstractWe present a new authentication protocol called Delayed Password Disclosure. Based on the traditional username and password paradigm, the protocol's goal is aimed at reducing the effectiveness of phishing/spoofing attacks that are becoming increasingly problematic for Internet users. This is done by providing the user with dynamic feedback while password entry occurs. While this is a process that would normally be frowned upon by the cryptographic community, we argue that it may result in more effective security than that offered by currently proposed "cryptographically acceptable" alternatives. While the protocol cannot prevent partial disclosure of one's password to the phisher, it does provide a user with the tools necessary to recognize an ongoing phishing attack, and prevent the disclosure of his/her entire password, providing graceful security degradation.

show abstract

Phishing IQ Tests Measure Fear, Not Ability

Cited by 42 publications

References 9 publications

Lessons from a real world evaluation of anti-phishing training

Lessons from a real world evaluation of anti-phishing training

Teaching Johnny not to fall for phish

Delayed password disclosure

Contact Info

Product

Resources

About