research-article

School of phish: a real-world evaluation of anti-phishing training

Authors:

Ponnurangam Kumaraguru,

Justin Cranshaw,

Alessandro Acquisti,

Mary Ann Blair,

Theodore PhamAuthors Info & Claims

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

Article No.: 3, Pages 1 - 12

https://doi.org/10.1145/1572532.1572536

Published: 15 July 2009 Publication History

Abstract

PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated the effectiveness of this approach. Here, we extend our previous work with a 515-participant, real-world study in which we focus on long-term retention and the effect of two training messages. We also investigate demographic factors that influence training and general phishing susceptibility. Results of this study show that (1) users trained with PhishGuru retain knowledge even after 28 days; (2) adding a second training message to reinforce the original training decreases the likelihood of people giving information to phishing websites; and (3) training does not decrease users' willingness to click on links in legitimate messages. We found no significant difference between males and females in the tendency to fall for phishing emails both before and after the training. We found that participants in the 18--25 age group were consistently more vulnerable to phishing attacks on all days of the study than older participants. Finally, our exit survey results indicate that most participants enjoyed receiving training during their normal use of email.

References

[1]

J. R. Anderson and H. A. Simon. Situated learning and education. Educational Researcher, 25:5--11, 1996.

[2]

D. B. Buller and J. K. Burgoon. Interpersonal deception theory. Communication Theory, 6(3):203--242, 1996.

[3]

J. R. Carlson, J. F. George, J. K. Burgoon, M. Adkins, and C. H. White. Deception in computer-mediated communication. Group Decision and Negotiation, 13(1):5--28, 2004.

[4]

R. Dhamija, J. D. Tygar, and M. Hearst. Why Phishing Works. Proceedings of the Conference on Human Factors in Computing Systems (CHI), 2006.

Digital Library

[5]

E. Ellis, L. Worthington, and M. Larkin. Research synthesis on effective teaching principles and the design of quality tools for educators. Technical report, National center to improve the tools of educators, 1994.

[6]

A. J. Ferguson. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly, (1), 2005.

[7]

T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 50(10):94--100, October 2007.

Digital Library

[8]

P. Johnson, S. Grazioli, K. Jamal, and G. Berryman. Detecting deception: adversarial problem solving in a low base-rate world. Cognitive Science: A Multidisciplinary Journal, 25(3):355--392, 2001.

[9]

P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge. Protecting people from phishing: the design and evaluation of an embedded training email system. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 905--914, 2007.

Digital Library

[10]

P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. F. Cranor, and J. Hong. Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. e-Crime Researchers Summit, Anti-Phishing Working Group, 2007.

Digital Library

[11]

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Under review.

[12]

P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong. Lessons from a real world evaluation of anti-phishing training. e-Crime Researchers Summit, Anti-Phishing Working Group, October 2008.

[13]

R. Lininger and R. D. Vines. Phishing: Cutting the Identity Theft Line. Indianapolis, Indiana, USA, 2005.

Digital Library

[14]

R. C. Miller and M. Wu. Fighting Phishing at the User Interface. O'Reilly, August 2005. In Lorrie Cranor and Simson Garfinkel (Eds.) Security and Usability: Designing Secure Systems that People Can Use.

[15]

T. Moore and R. Anderson. How brain type influences online safety. Working paper, July 2008.

[16]

R. A. Morin and A. Fernandez Suarez. Risk aversion revisited. Journal of Finance, 38(4):1201--16, September 1983.

[17]

New York State Office of Cyber Security&Critical Infrastructure Coordination. Gone phishing. a briefing on the anti-phishing exercise initiative for new york state government. Aggregate Exercise Results for public release., 2005.

[18]

R. A. Schmidt and R. A. Bjork. New conceptualizations of practice: Common principles in three paradigms suggest new concepts for training. Psychological Science, 3(4):207--217, July 1992.

[19]

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 88--99, 2007.

Digital Library

[20]

E. Spagat. Justice department hoaxes employees. News article, January 2009. http://news.yahoo.com/s/ap/20090129/ap_on_go_ca_st_pe/justice_hoax.

[21]

G. Stefano. Where did they go wrong? an analysis of the failure of knowledgeable internet consumers to detect deception over the internet. Group Decision and Negotiation, 13:149--172, March 2004.

Cited By

Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Dubovecka K(2024)Vulnerability of Students of Masaryk University to Two Different Types of PhishingApplied Cybersecurity & Internet Governance10.60097/ACIG/190268Online publication date: 24-Jun-2024
https://doi.org/10.60097/ACIG/190268
Schöps MGutfleisch MWolter ESasse MBalzarotti DXu W(2024)Simulated stressProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699157(4589-4606)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699157
Show More Cited By

Index Terms

School of phish: a real-world evaluation of anti-phishing training

Recommendations

Protecting people from phishing: the design and evaluation of an embedded training email system
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an ...
Getting users to pay attention to anti-phishing education: evaluation of retention and transfer
eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit

Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education ...
Teaching Johnny not to fall for phish

Phishing attacks, in which criminals lure Internet users to Web sites that spoof legitimate Web sites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

July 2009

205 pages

ISBN:9781605587363

DOI:10.1145/1572532

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2009 Copyright held by the author/owner.

Sponsors

Carnegie Mellon CyLab
Google Inc.

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

SOUPS '09

Sponsor:

SOUPS '09: Symposium on Usable Privacy and Security

July 15 - 17, 2009

California, Mountain View, USA

Acceptance Rates

SOUPS '09 Paper Acceptance Rate 15 of 49 submissions, 31%;

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

170
Total Citations
View Citations
2,858
Total Downloads

Downloads (Last 12 months)264
Downloads (Last 6 weeks)21

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Dubovecka K(2024)Vulnerability of Students of Masaryk University to Two Different Types of PhishingApplied Cybersecurity & Internet Governance10.60097/ACIG/190268Online publication date: 24-Jun-2024
https://doi.org/10.60097/ACIG/190268
Schöps MGutfleisch MWolter ESasse MBalzarotti DXu W(2024)Simulated stressProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699157(4589-4606)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699157
Chen XDoublet SSergeeva ALenzini GKoenig VDistler VKelley PKapadia A(2024)What motivates and discourages employees in phishing interventionsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696925(487-506)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696925
Schöni LCarles VStrohmeier MMayer PZimmermann V(2024)You Know What? - Evaluation of a Personalised Phishing Training Based on Users' Phishing Knowledge and Detection SkillsProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688460(1-14)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688460
Sun ZKokulu FZhang POest AStringhini GBao TWang RShoshitaishvili YDoupé AAhn G(2024)From Victims to Defenders: An Exploration of the Phishing Attack Reporting EcosystemProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678926(49-64)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678926
Palheiros Da Silva AMbaka WMayer JBullee JTuma K(2024)Does trainer gender make a difference when delivering phishing training? A new experimental design to capture biasProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661232(130-139)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661232
Schiller KAdamsky FEichenmüller CReimert MBenenson ZLuo BLiao XXu JKirda ELie D(2024)Employees' Attitudes towards Phishing Simulations: "It's like when a child reaches onto the hot hob"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690212(4167-4181)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690212
Hielscher JSchöps MOpdenbusch JReichmann FGutfleisch MMarky KParkin SLuo BLiao XXu JKirda ELie D(2024)Selling Satisfaction: A Qualitative Analysis of Cybersecurity Awareness Vendors' PromisesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690196(2666-2680)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690196
Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten