Ponnurangam Kumaraguru
Alessandro Acquisti
Lorrie Faith Cranor
Jason Hong
ABSTRACT
Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education is made part of a primary task for users. The goal is to motivate users to pay attention to the training materials. In embedded training, users are sent simulated phishing attacks and trained after they fall for the attacks. Prior studies tested users immediately after training and demonstrated that embedded training improved users' ability to identify phishing emails and websites. In the present study, we tested users to determine how well they retained knowledge gained through embedded training and how well they transferred this knowledge to identify other types of phishing emails. We also compared the effectiveness of the same training materials delivered via embedded training and delivered as regular email messages. In our experiments, we found that: (a) users learn more effectively when the training materials are presented after users fall for the attack (embedded) than when the same training materials are sent by email (non-embedded); (b) users retain and transfer more knowledge after embedded training than after non-embedded training; and (c) users with higher Cognitive Reflection Test (CRT) scores are more likely than users with lower CRT scores to click on the links in the phishing emails from companies with which they have no account.
- Anandpara, V., Dingman, A., Jakobsson, M., Liu, D., and Roinestad, H. Phishing IQ tests measure fear, not ability. Usable Security (USEC'07)(2007). http://usablesecurity.org/papers/anandpara.pdf. Google Scholar
Digital Library
- Anderson, J. R. Rules of the Mind. Lawrence Erlbaum Associates, Inc., 1993.Google Scholar
- Anderson, J. R., and Simon, H. A. Situated learning and education. Educational Researcher 25 (1996), 5--11.Google ScholarCross Ref
- Anton, A. I., Earp, E. A. J. B., Bolchini, D., He, Q., Jensen, C., and Stufflebeam, W. The Lack of Clarity in Financial Privacy Policies and the Need for Standardization. IEEE Security and Privacy 2(2) (2004), pp. 36--45. Retrieved Dec 20, 2004, http://www.theprivacyplace.org/papers/glb_secPriv_tr.pdf. Google ScholarDigital Library
- Clark, R. C. and E. M. Richard. 2002. E-Learning and the science of instruction: proven guidelines for consumers and designers of multimedia learning. Pfeiffer, San Francisco, USA.Google Scholar
- Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581--590. DOI=http://doi.acm.org/10.1145/1124772.1124861. Google ScholarDigital Library
- Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90. DOI=http://doi.acm.org/10.1145/1143120.1143131. Google ScholarDigital Library
- eBay Toolbar. Retrieved December 30, 2006. http://pages.ebay.com/ebay_toolbar/Google Scholar
- Fette, I., N. Sadeh and A. Tomasic. Learning to Detect Phishing Emails. June 2006. ISRI Technical report, CMU-ISRI-06-112 (To be presented at WWW 2007).htt p://reports-archive.adm.cs.cmu.edu/anon/isri2006/CMU-ISRI-06-112.pdf.Google Scholar
- Frederick, S. Cognitive reflection and decision making. Journal of Economic Perspectives 19, 4 (2005), 25--42.Google ScholarCross Ref
- Keinan, G. Decision making under stress: scanning of alternatives under controllable and uncontrollable threats. Journal of personality and social psychology 52, 3 (1987), 639--644.Google Scholar
- Kirkley, J. R., and et al. Problem-based embedded training: An instructional methodology for embedded training using mixed and virtual reality technologies. In Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC) (2003). http://www.iforces.org/downloads/problem-based.pdf.Google Scholar
- Klein, G. Sources of power: How people make decisions? The MIT Press Cambridge, Massachusetts The MIT Press, Cambridge, Massachusetts, London, England, February 1999.Google Scholar
- Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. Teaching johnny not to fall for phish. Tech. rep., Cranegie Mellon University, 2007. http://www.cylab.cmu.edu/files/cmucylab07003.pdf.Google Scholar
- Kumaraguru, P., Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. In Proceedings of CHI 2007. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. Google ScholarDigital Library
- Mayer, R. E. Multimedia Learning. 2001. New York Cambridge University Press. Google ScholarDigital Library
- Mayer, R. E., and Anderson, R. B. The instructive animation: Helping students build connections between words and pictures in multimedia learning. Journal of Educational Psychology 84, 4 (December 1992), 444--452.Google ScholarCross Ref
- Merrienboer, J. V., de croock, M., and Jelsma, O. The transfer paradox: Effects of contextual interference on retention andtransfer performance of a complex cognitive skill. Perceptual and motor skills 84 (1997), 784--786.Google Scholar
- Moreno, R., Mayer, R. E., Spires, H. A., and Lester, J. C. The case for social agency in computer-based teaching: Do students learn more deeply when they interact with animated pedagogical agents? Cognition and Instruction 19, 2 (2001), 177--213.Google ScholarCross Ref
- Robila, S. A., J. James and W. Ragucci. 2006. Don't be a phish: steps in user education. ITICSE '06: Proceedings of the 11th annual SIGCSE conference on Innovation and technology in computer science education. pp 237--241. New York, NY, USA. Google ScholarDigital Library
- Rubin, D. C., and Wenzel, A. E. One hundred years of forgetting: A quantitative description of retention. Psychological Review 103, 4 (1996), 734--760.Google ScholarCross Ref
- Schmidt, R. A., and Bjork, R. A. New conceptualizations of practice: Common principles in three paradigms suggest new concepts for training. Psychological Science 3, 4 (July 1992), 207--217.Google ScholarCross Ref
- Sheng, S., B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. To appear in Symposium on Usable Privacy and Security 2007. Google ScholarDigital Library
- SpamAssasin. Retrieved September 10, 2006. http://spamassassin.apache.org/Google Scholar
- SpoofGuard. Retrieved September 10, 2006, http://crypto.stanford.edu/SpoofGuard/Google Scholar
- SpoofStick. Retrieved September 10, 2006. http://www.spoofstick.com/Google Scholar
- SquirrelMail. Retrieved September 10, 2006. http://www.squirrelmail.org/Google Scholar
- Tversky, A., and Kahneman, D. Judgment under Uncertainty: Heuristics and Biases. Science 185, 4157 (1974), 1124--1131.Google Scholar
- Tversky, A., and Shafir, E. The disjunction effect in choice under uncertainty. American Psychological Society 3, 5 (September 1992), 305--309.Google Scholar
- Whitten, A and J. D. Tygar. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Proceedings of the 8th USENIX Security Symposium. http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/USENIX.pdf. Google ScholarDigital Library
- Whitten, W. B., and Bjork, R. A. Learning from tests: Effects of spacing. Journal of Verbal Learning and Verbal Behavior 16, 4 (August 1977), 465--478.Google ScholarCross Ref
Index Terms
- Getting users to pay attention to anti-phishing education: evaluation of retention and transfer
Recommendations
Protecting people from phishing: the design and evaluation of an embedded training email system
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsPhishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an ...
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityIn this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the ...
School of phish: a real-world evaluation of anti-phishing training
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and SecurityPhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated ...
Comments