Teaching Phishing-Security: Which Way is Best?

Stockhardt, Simon; Reinheimer, Benjamin; Volkamer, Melanie; Mayer, Peter; Kunz, Alexandra; Rack, Philip D.; Lehmann, Daniel

doi:10.1007/978-3-319-33630-5_10

Cited by 29 publications

(27 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The first provides a general introduction to phishing, a brief overview of the techniques used by cybercriminals, their potential consequences, and the indicators to help detect illegitimate emails and URLs. The second provides additional instruction on how to avoid being deceived by phishing emails or URLs. Game-based training (self-paced, both groups): Many studies [10, 11, 13, 15, 16, 20, 21, 22] leverage game-play to interactively educate users. Training games allow users to play interactively with challenges to decide if emails are trustworthy.…”

Section: Methodsmentioning

confidence: 99%

“…This study uses the web browser-based game Anti-Phishing Phil [13] (freely accessible at http://www.ucl.ac.uk/cert/antiphishing/) and Anti-Phishing Phyllis ( free demo version at https://beta.wombatsecurity.com/webdemo/4.7/?module=phyllis). Both games played completely take between five and 10 min. Text-based training (self-paced, both groups): An educational text was created based on freely available material [13, 15, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31] including examples and describing the best practices to detect phishing emails. The content is identical to the instructor-led training presentation with a brief introduction to phishing, an example with its possible consequences, indicators of illegitimate emails and URL addresses, and additional examples of phishing emails and websites.…”

Section: Methodsmentioning

confidence: 99%

“…Furthermore, Stockhardt et al. [15] and Abawajy and Kim [16] showed that distinct types of training have different impacts on the ability to identify phishing emails. Additional experts [17] agree that a mix of training approaches is most promising.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Effectiveness of and user preferences for security awareness training methodologies

Tschakert

Ngamsuriyaroj

2019

Heliyon

View full text Add to dashboard Cite

Phishing is a primary vector used in cyber-attacks, and current technical measures are not sufficient to reduce their success to an acceptable level. Empowering users to identify phishing emails is crucial; thus, anti-phishing training is essential. We investigate participant phishing susceptibility in a 2 × 2 mixed factorial design to determine if instructor-led classroom training, in addition to a multiple approach video-, game-, and text-based training package, offers a significant difference in susceptibility reduction compared with the absence of classroom training. The results suggest an insignificant improvement in reducing phishing susceptibility by incorporating classroom training. Furthermore, we observe a significant preference from the participants for one training method (i.e., classroom training) only if a decision for one particular method was required.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Effectiveness of and user preferences for security awareness training methodologies

Tschakert

Ngamsuriyaroj

2019

Heliyon

View full text Add to dashboard Cite

show abstract

“…Our proposed concept requires the goals to be derived from behavioral recommendations of information security awareness materials. We chose an extended version of the NoPhish anti-phishing awareness and education materials (Stockhardt et al, 2016) as basis for our goal derivation. They were a perfect fit, since they include clear behavioral recommendations and their effectiveness was proven in many settings (Canova et al, 2014;Kunz et al, 2016;Stockhardt et al, 2016).…”

Section: Creation Of the Goals Used In The Studymentioning

confidence: 99%

Productivity vs security: mitigating conflicting goals in organizations

Mayer

Gerber

McDermott

et al. 2017

ICS

Self Cite

View full text Add to dashboard Cite

Purpose-This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals. Design/methodology/approach-This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees' security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small to medium-sized organizations (SMEs) with overall 90 employees. Findings-The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees. Research limitations/implications-Both studies rely on self-reported data and are therefore likely to contain some kind of bias. Practical implications-Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations. Originality/value-This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.

show abstract

“…Our research group has a long history of developing phishing awareness programmes (including apps, flyers, reading material, presentations for seminars) and have carried out several user studies verifying their effectiveness [5][6][7]26,28,33,[39][40][41]. Our initial programmes required learners to spend between 20 to 45 minutes completing the awareness programmes.…”

Section: Introductionmentioning

confidence: 99%

Developing and Evaluating a Five Minute Phishing Awareness Video

Volkamer

Renaud

Reinheimer

et al. 2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video.

show abstract

Teaching Phishing-Security: Which Way is Best?

Cited by 29 publications

References 12 publications

Effectiveness of and user preferences for security awareness training methodologies

Effectiveness of and user preferences for security awareness training methodologies

Productivity vs security: mitigating conflicting goals in organizations

Developing and Evaluating a Five Minute Phishing Awareness Video

Contact Info

Product

Resources

About