Article

Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Authors:

Ponnurangam Kumaraguru,

Sharique Hasan,

Alessandro Acquisti,

Lorrie Faith Cranor,

Jason HongAuthors Info & Claims

eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit

Pages 70 - 81

https://doi.org/10.1145/1299015.1299022

Published: 04 October 2007 Publication History

Abstract

Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education is made part of a primary task for users. The goal is to motivate users to pay attention to the training materials. In embedded training, users are sent simulated phishing attacks and trained after they fall for the attacks. Prior studies tested users immediately after training and demonstrated that embedded training improved users' ability to identify phishing emails and websites. In the present study, we tested users to determine how well they retained knowledge gained through embedded training and how well they transferred this knowledge to identify other types of phishing emails. We also compared the effectiveness of the same training materials delivered via embedded training and delivered as regular email messages. In our experiments, we found that: (a) users learn more effectively when the training materials are presented after users fall for the attack (embedded) than when the same training materials are sent by email (non-embedded); (b) users retain and transfer more knowledge after embedded training than after non-embedded training; and (c) users with higher Cognitive Reflection Test (CRT) scores are more likely than users with lower CRT scores to click on the links in the phishing emails from companies with which they have no account.

References

[1]

Anandpara, V., Dingman, A., Jakobsson, M., Liu, D., and Roinestad, H. Phishing IQ tests measure fear, not ability. Usable Security (USEC'07)(2007). http://usablesecurity.org/papers/anandpara.pdf.

Digital Library

[2]

Anderson, J. R. Rules of the Mind. Lawrence Erlbaum Associates, Inc., 1993.

[3]

Anderson, J. R., and Simon, H. A. Situated learning and education. Educational Researcher 25 (1996), 5--11.

[4]

Anton, A. I., Earp, E. A. J. B., Bolchini, D., He, Q., Jensen, C., and Stufflebeam, W. The Lack of Clarity in Financial Privacy Policies and the Need for Standardization. IEEE Security and Privacy 2(2) (2004), pp. 36--45. Retrieved Dec 20, 2004, http://www.theprivacyplace.org/papers/glb_secPriv_tr.pdf.

Digital Library

[5]

Clark, R. C. and E. M. Richard. 2002. E-Learning and the science of instruction: proven guidelines for consumers and designers of multimedia learning. Pfeiffer, San Francisco, USA.

[6]

Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581--590. DOI=http://doi.acm.org/10.1145/1124772.1124861.

Digital Library

[7]

Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90. DOI=http://doi.acm.org/10.1145/1143120.1143131.

Digital Library

[8]

eBay Toolbar. Retrieved December 30, 2006. http://pages.ebay.com/ebay_toolbar/

[9]

Fette, I., N. Sadeh and A. Tomasic. Learning to Detect Phishing Emails. June 2006. ISRI Technical report, CMU-ISRI-06-112 (To be presented at WWW 2007).htt p://reports-archive.adm.cs.cmu.edu/anon/isri2006/CMU-ISRI-06-112.pdf.

[10]

Frederick, S. Cognitive reflection and decision making. Journal of Economic Perspectives 19, 4 (2005), 25--42.

[11]

Keinan, G. Decision making under stress: scanning of alternatives under controllable and uncontrollable threats. Journal of personality and social psychology 52, 3 (1987), 639--644.

[12]

Kirkley, J. R., and et al. Problem-based embedded training: An instructional methodology for embedded training using mixed and virtual reality technologies. In Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC) (2003). http://www.iforces.org/downloads/problem-based.pdf.

[13]

Klein, G. Sources of power: How people make decisions? The MIT Press Cambridge, Massachusetts The MIT Press, Cambridge, Massachusetts, London, England, February 1999.

[14]

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. Teaching johnny not to fall for phish. Tech. rep., Cranegie Mellon University, 2007. http://www.cylab.cmu.edu/files/cmucylab07003.pdf.

[15]

Kumaraguru, P., Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. In Proceedings of CHI 2007. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System.

Digital Library

[16]

Mayer, R. E. Multimedia Learning. 2001. New York Cambridge University Press.

Digital Library

[17]

Mayer, R. E., and Anderson, R. B. The instructive animation: Helping students build connections between words and pictures in multimedia learning. Journal of Educational Psychology 84, 4 (December 1992), 444--452.

[18]

Merrienboer, J. V., de croock, M., and Jelsma, O. The transfer paradox: Effects of contextual interference on retention andtransfer performance of a complex cognitive skill. Perceptual and motor skills 84 (1997), 784--786.

[19]

Moreno, R., Mayer, R. E., Spires, H. A., and Lester, J. C. The case for social agency in computer-based teaching: Do students learn more deeply when they interact with animated pedagogical agents? Cognition and Instruction 19, 2 (2001), 177--213.

[20]

Robila, S. A., J. James and W. Ragucci. 2006. Don't be a phish: steps in user education. ITICSE '06: Proceedings of the 11th annual SIGCSE conference on Innovation and technology in computer science education. pp 237--241. New York, NY, USA.

Digital Library

[21]

Rubin, D. C., and Wenzel, A. E. One hundred years of forgetting: A quantitative description of retention. Psychological Review 103, 4 (1996), 734--760.

[22]

Schmidt, R. A., and Bjork, R. A. New conceptualizations of practice: Common principles in three paradigms suggest new concepts for training. Psychological Science 3, 4 (July 1992), 207--217.

[23]

Sheng, S., B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. To appear in Symposium on Usable Privacy and Security 2007.

Digital Library

[24]

SpamAssasin. Retrieved September 10, 2006. http://spamassassin.apache.org/

[25]

SpoofGuard. Retrieved September 10, 2006, http://crypto.stanford.edu/SpoofGuard/

[26]

SpoofStick. Retrieved September 10, 2006. http://www.spoofstick.com/

[27]

SquirrelMail. Retrieved September 10, 2006. http://www.squirrelmail.org/

[28]

Tversky, A., and Kahneman, D. Judgment under Uncertainty: Heuristics and Biases. Science 185, 4157 (1974), 1124--1131.

[29]

Tversky, A., and Shafir, E. The disjunction effect in choice under uncertainty. American Psychological Society 3, 5 (September 1992), 305--309.

[30]

Whitten, A and J. D. Tygar. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Proceedings of the 8th USENIX Security Symposium. http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/USENIX.pdf.

Digital Library

[31]

Whitten, W. B., and Bjork, R. A. Learning from tests: Effects of spacing. Journal of Verbal Learning and Verbal Behavior 16, 4 (August 1977), 465--478.

Cited By

Sarker OJayatilaka AHaggag SLiu CBabar M(2025)Understanding practitioners’ challenges and requirements in the design, implementation, and evaluation of anti-phishing interventionsJournal of Systems and Software10.1016/j.jss.2025.112356225(112356)Online publication date: Jul-2025
https://doi.org/10.1016/j.jss.2025.112356
Chen XDoublet SSergeeva ALenzini GKoenig VDistler VKelley PKapadia A(2024)What motivates and discourages employees in phishing interventionsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696925(487-506)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696925
Lain DJost TMatetic SKostiainen KCapkun SLuo BLiao XXu JKirda ELie D(2024)Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing TrainingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690348(4182-4196)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690348
Show More Cited By

Index Terms

Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Recommendations

Protecting people from phishing: the design and evaluation of an embedded training email system
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an ...
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the ...
School of phish: a real-world evaluation of anti-phishing training
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit

October 2007

90 pages

ISBN:9781595939395

DOI:10.1145/1299015

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

eCrime '07

eCrime '07: eCrime '07 - Anti-phishing working group 2007 eCrime Researchers' Summit

October 4 - 5, 2007

Pennsylvania, Pittsburgh, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

87
Total Citations
View Citations
2,137
Total Downloads

Downloads (Last 12 months)146
Downloads (Last 6 weeks)29

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sarker OJayatilaka AHaggag SLiu CBabar M(2025)Understanding practitioners’ challenges and requirements in the design, implementation, and evaluation of anti-phishing interventionsJournal of Systems and Software10.1016/j.jss.2025.112356225(112356)Online publication date: Jul-2025
https://doi.org/10.1016/j.jss.2025.112356
Chen XDoublet SSergeeva ALenzini GKoenig VDistler VKelley PKapadia A(2024)What motivates and discourages employees in phishing interventionsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696925(487-506)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696925
Lain DJost TMatetic SKostiainen KCapkun SLuo BLiao XXu JKirda ELie D(2024)Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing TrainingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690348(4182-4196)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690348
Schiller KAdamsky FEichenmüller CReimert MBenenson ZLuo BLiao XXu JKirda ELie D(2024)Employees' Attitudes towards Phishing Simulations: "It's like when a child reaches onto the hot hob"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690212(4167-4181)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690212
Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Wang CJia ZBenkraouda HZevnik CHeuermann NFoulger RHandler JWang G(2024)VeriSMS: A Message Verification System for Inclusive Patient Outreach against Phishing AttacksProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642027(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642027
Alqahtani SNanda P(2024)Effects of Personal Characteristics on Phishing Awareness, Anti-Phishing Tool Usage, and Phishing Avoidance Behavior: A Structural Equation Modeling Approach2024 17th International Conference on Security of Information and Networks (SIN)10.1109/SIN63213.2024.10871302(1-9)Online publication date: 2-Dec-2024
https://doi.org/10.1109/SIN63213.2024.10871302
Marshall NSturman DAuton J(2024)Exploring the evidence for email phishing training: A scoping reviewComputers & Security10.1016/j.cose.2023.103695139(103695)Online publication date: Apr-2024
https://doi.org/10.1016/j.cose.2023.103695
Köhler DPünter WMeinel C(2024)We have Phishing at Home: Quantitative Study on Email Phishing Susceptibility in Private ContextsInformation Security10.1007/978-3-031-75764-8_13(246-265)Online publication date: 17-Oct-2024
https://doi.org/10.1007/978-3-031-75764-8_13
Bouma DHoffmans Cvan den Hout NZwarts NTreur JRoelofsma P(2024)Cyber Security in Hospitals: A Network-Oriented Model for Behavioural Learning of Employees During Phishing SimulationsInternational Joint Conferences10.1007/978-3-031-75016-8_10(98-111)Online publication date: 16-Nov-2024
https://doi.org/10.1007/978-3-031-75016-8_10
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten