DOC PREVIEW
Getting Users to Pay Attention to Anti­Phishing Education

This preview shows page 1-2-3-4 out of 13 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1. INTRODUCTION2. TRAINING2.1 Embedded training2.2 Learning science principles3. THEORY AND HYPOTHESES3.1 Learning3.2 Retention3.3 Transfer3.4 Cognitive Reflection4. EVALUATION4.1 Participant Recruitment and Demographics4.2 Methodology5. RESULTS5.1 Participant scores and behavior5.2 Learning5.2.1 User performance5.2.2 Time spent in reading the intervention5.3 Retention and transfer5.3.1 Overall performance after a delay5.3.2 Retention5.3.3 Transfer5.4 Cognitive Reflection5.5 Observations6. DISCUSSION7. CONCLUSIONS AND FUTURE WORK8. ACKNOWLEDGMENTS9. REFERENCES10. APPENDIXGetting Users to Pay Attention to Anti-PhishingEducation: Evaluation of Retention and TransferPonnurangam Kumaraguru, Yong Rhee, Steve Sheng, Sharique Hasan,Alessandro Acquisti, Lorrie Faith Cranor, Jason HongCarnegie Mellon [email protected], [email protected], [email protected], [email protected],[email protected], [email protected], [email protected] ABSTRACTEducational materials designed to teach users not to fall forphishing attacks are widely available but are often ignored byusers. In this paper, we extend an embedded trainingmethodology using learning science principles in which phishingeducation is made part of a primary task for users. The goal is tomotivate users to pay attention to the training materials. Inembedded training, users are sent simulated phishing attacks andtrained after they fall for the attacks. Prior studies tested usersimmediately after training and demonstrated that embeddedtraining improved users’ ability to identify phishing emails andwebsites. In the present study, we tested users to determine howwell they retained knowledge gained through embedded trainingand how well they transferred this knowledge to identify othertypes of phishing emails. We also compared the effectiveness ofthe same training materials delivered via embedded training anddelivered as regular email messages. In our experiments, wefound that: (a) users learn more effectively when the trainingmaterials are presented after users fall for the attack (embedded)than when the same training materials are sent by email (non-embedded); (b) users retain and transfer more knowledge afterembedded training than after non-embedded training; and (c)users with higher Cognitive Reflection Test (CRT) scores aremore likely than users with lower CRT scores to click on thelinks in the phishing emails from companies with which theyhave no account. Categories and Subject DescriptorsD.4.6 Security and protection, H.1.2 User / Machine systems,H.5.2 User interfaces, K.6.5 Security and protection education. General TermsDesign, Experimentation, Security, Human factors. KeywordsEmbedded training, learning science, instructional principles,phishing, email, usable privacy and security, situated learning.1. INTRODUCTIONUsers are susceptible to phishing attacks because of the sensitivetrust decisions that they make when they conduct activitiesonline. Psychologists have shown that people do not reflect ontheir options when making decisions under stress (e.g. accessingemail while busy at work). Studies have shown that people understress fail to consider all possible solutions and may end upmaking decisions that are irrational [11]. Psychologists call thisthe singular evaluation approach to decision making. In thisapproach, people evaluate solution options individually ratherthan comparing them with others, taking the first solution thatworks [13, pp. 20]. Psychologists have also shown that people donot ask the right questions when making decisions under stressand also rely on familiar patterns instead of considering allrelevant details [28, 29]. Anti-phishing researchers have developed several approaches topreventing and detecting phishing attacks [9, 24], and tosupporting Internet users in making better trust decisions thatwill help them avoid falling for phishing attacks. Much work hasfocused on helping users identify phishing web sites [8, 25, 26].Less effort has been devoted to developing methods to train usersto be less susceptible to phishing attacks [15, 20, 23]. Researchers argue that user education in the context of security isdifficult because (1) security is always a secondary task for theend-users [30], (2) users are not motivated to read about privacyand security [4], and (3) users who do read about privacy andsecurity develop a fear of online transactions, but do notnecessarily learn how to protect themselves [1]. However, ourhypothesis - which was validated through experiments - is thatpeople can be taught to identify phishing scams withoutnecessarily understanding complicated computer securityconcepts [15]. In this paper, we extend an embedded training methodologyusing learning science principles in which phishing education ismade part of a primary task for users. The goal is to motivateusers to pay attention to the training materials. In embeddedtraining, users are sent simulated phishing attacks and arepresented training interventions if they fall for the attacks. Priorstudies tested users immediately after training and demonstratedthat embedded training improved users’ ability to identifyphishing emails and websites. They also compared embeddedtraining to security notices delivered via email. However, thesecurity notices did not include the same content as theembedded training materials [15]. In the present study, we testedusers to determine how well they retained knowledge gainedthrough embedded training over a period of about one week, andhow well they transferred this knowledge to identify other typesof phishing emails. We also compared the effectiveness of thesame training materials delivered via embedded training anddelivered as a regular email message (non-embedded). In ourexperiments, we found that: (a) users learn more effectivelywhen the training materials are presented after users fall for theattack (embedded) than when the same training materials aresent by email (non-embedded); (b) users retain and transfer


Getting Users to Pay Attention to Anti­Phishing Education

Download Getting Users to Pay Attention to Anti­Phishing Education
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Getting Users to Pay Attention to Anti­Phishing Education and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Getting Users to Pay Attention to Anti­Phishing Education 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?