Article

Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Authors:

Ponnurangam Kumaraguru,

Sharique Hasan,

Alessandro Acquisti,

Lorrie Faith Cranor,

Jason HongAuthors Info & Claims

eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit

Pages 70 - 81

https://doi.org/10.1145/1299015.1299022

Published: 04 October 2007 Publication History

Abstract

Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education is made part of a primary task for users. The goal is to motivate users to pay attention to the training materials. In embedded training, users are sent simulated phishing attacks and trained after they fall for the attacks. Prior studies tested users immediately after training and demonstrated that embedded training improved users' ability to identify phishing emails and websites. In the present study, we tested users to determine how well they retained knowledge gained through embedded training and how well they transferred this knowledge to identify other types of phishing emails. We also compared the effectiveness of the same training materials delivered via embedded training and delivered as regular email messages. In our experiments, we found that: (a) users learn more effectively when the training materials are presented after users fall for the attack (embedded) than when the same training materials are sent by email (non-embedded); (b) users retain and transfer more knowledge after embedded training than after non-embedded training; and (c) users with higher Cognitive Reflection Test (CRT) scores are more likely than users with lower CRT scores to click on the links in the phishing emails from companies with which they have no account.

References

[1]

Anandpara, V., Dingman, A., Jakobsson, M., Liu, D., and Roinestad, H. Phishing IQ tests measure fear, not ability. Usable Security (USEC'07)(2007). http://usablesecurity.org/papers/anandpara.pdf.

Digital Library

[2]

Anderson, J. R. Rules of the Mind. Lawrence Erlbaum Associates, Inc., 1993.

[3]

Anderson, J. R., and Simon, H. A. Situated learning and education. Educational Researcher 25 (1996), 5--11.

[4]

Anton, A. I., Earp, E. A. J. B., Bolchini, D., He, Q., Jensen, C., and Stufflebeam, W. The Lack of Clarity in Financial Privacy Policies and the Need for Standardization. IEEE Security and Privacy 2(2) (2004), pp. 36--45. Retrieved Dec 20, 2004, http://www.theprivacyplace.org/papers/glb_secPriv_tr.pdf.

Digital Library

[5]

Clark, R. C. and E. M. Richard. 2002. E-Learning and the science of instruction: proven guidelines for consumers and designers of multimedia learning. Pfeiffer, San Francisco, USA.

[6]

Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581--590. DOI=http://doi.acm.org/10.1145/1124772.1124861.

Digital Library

[7]

Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90. DOI=http://doi.acm.org/10.1145/1143120.1143131.

Digital Library

[8]

eBay Toolbar. Retrieved December 30, 2006. http://pages.ebay.com/ebay_toolbar/

[9]

Fette, I., N. Sadeh and A. Tomasic. Learning to Detect Phishing Emails. June 2006. ISRI Technical report, CMU-ISRI-06-112 (To be presented at WWW 2007).htt p://reports-archive.adm.cs.cmu.edu/anon/isri2006/CMU-ISRI-06-112.pdf.

[10]

Frederick, S. Cognitive reflection and decision making. Journal of Economic Perspectives 19, 4 (2005), 25--42.

[11]

Keinan, G. Decision making under stress: scanning of alternatives under controllable and uncontrollable threats. Journal of personality and social psychology 52, 3 (1987), 639--644.

[12]

Kirkley, J. R., and et al. Problem-based embedded training: An instructional methodology for embedded training using mixed and virtual reality technologies. In Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC) (2003). http://www.iforces.org/downloads/problem-based.pdf.

[13]

Klein, G. Sources of power: How people make decisions? The MIT Press Cambridge, Massachusetts The MIT Press, Cambridge, Massachusetts, London, England, February 1999.

[14]

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. Teaching johnny not to fall for phish. Tech. rep., Cranegie Mellon University, 2007. http://www.cylab.cmu.edu/files/cmucylab07003.pdf.

[15]

Kumaraguru, P., Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. In Proceedings of CHI 2007. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System.

Digital Library

[16]

Mayer, R. E. Multimedia Learning. 2001. New York Cambridge University Press.

Digital Library

[17]

Mayer, R. E., and Anderson, R. B. The instructive animation: Helping students build connections between words and pictures in multimedia learning. Journal of Educational Psychology 84, 4 (December 1992), 444--452.

[18]

Merrienboer, J. V., de croock, M., and Jelsma, O. The transfer paradox: Effects of contextual interference on retention andtransfer performance of a complex cognitive skill. Perceptual and motor skills 84 (1997), 784--786.

[19]

Moreno, R., Mayer, R. E., Spires, H. A., and Lester, J. C. The case for social agency in computer-based teaching: Do students learn more deeply when they interact with animated pedagogical agents? Cognition and Instruction 19, 2 (2001), 177--213.

[20]

Robila, S. A., J. James and W. Ragucci. 2006. Don't be a phish: steps in user education. ITICSE '06: Proceedings of the 11th annual SIGCSE conference on Innovation and technology in computer science education. pp 237--241. New York, NY, USA.

Digital Library

[21]

Rubin, D. C., and Wenzel, A. E. One hundred years of forgetting: A quantitative description of retention. Psychological Review 103, 4 (1996), 734--760.

[22]

Schmidt, R. A., and Bjork, R. A. New conceptualizations of practice: Common principles in three paradigms suggest new concepts for training. Psychological Science 3, 4 (July 1992), 207--217.

[23]

Sheng, S., B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. To appear in Symposium on Usable Privacy and Security 2007.

Digital Library

[24]

SpamAssasin. Retrieved September 10, 2006. http://spamassassin.apache.org/

[25]

SpoofGuard. Retrieved September 10, 2006, http://crypto.stanford.edu/SpoofGuard/

[26]

SpoofStick. Retrieved September 10, 2006. http://www.spoofstick.com/

[27]

SquirrelMail. Retrieved September 10, 2006. http://www.squirrelmail.org/

[28]

Tversky, A., and Kahneman, D. Judgment under Uncertainty: Heuristics and Biases. Science 185, 4157 (1974), 1124--1131.

[29]

Tversky, A., and Shafir, E. The disjunction effect in choice under uncertainty. American Psychological Society 3, 5 (September 1992), 305--309.

[30]

Whitten, A and J. D. Tygar. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Proceedings of the 8th USENIX Security Symposium. http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/USENIX.pdf.

Digital Library

[31]

Whitten, W. B., and Bjork, R. A. Learning from tests: Effects of spacing. Journal of Verbal Learning and Verbal Behavior 16, 4 (August 1977), 465--478.

Cited By

Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Wang CJia ZBenkraouda HZevnik CHeuermann NFoulger RHandler JWang G(2024)VeriSMS: A Message Verification System for Inclusive Patient Outreach against Phishing AttacksProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642027(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642027
Marshall NSturman DAuton J(2024)Exploring the evidence for email phishing training: A scoping reviewComputers & Security10.1016/j.cose.2023.103695139(103695)Online publication date: Apr-2024
https://doi.org/10.1016/j.cose.2023.103695
Show More Cited By

Index Terms

Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Recommendations

Protecting people from phishing: the design and evaluation of an embedded training email system
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an ...
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the ...
School of phish: a real-world evaluation of anti-phishing training
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit

October 2007

90 pages

ISBN:9781595939395

DOI:10.1145/1299015

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

eCrime '07

eCrime '07: eCrime '07 - Anti-phishing working group 2007 eCrime Researchers' Summit

October 4 - 5, 2007

Pennsylvania, Pittsburgh, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

81
Total Citations
View Citations
2,093
Total Downloads

Downloads (Last 12 months)153
Downloads (Last 6 weeks)20

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Wang CJia ZBenkraouda HZevnik CHeuermann NFoulger RHandler JWang G(2024)VeriSMS: A Message Verification System for Inclusive Patient Outreach against Phishing AttacksProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642027(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642027
Marshall NSturman DAuton J(2024)Exploring the evidence for email phishing training: A scoping reviewComputers & Security10.1016/j.cose.2023.103695139(103695)Online publication date: Apr-2024
https://doi.org/10.1016/j.cose.2023.103695
Köhler DPünter WMeinel C(2024)We have Phishing at Home: Quantitative Study on Email Phishing Susceptibility in Private ContextsInformation Security10.1007/978-3-031-75764-8_13(246-265)Online publication date: 17-Oct-2024
https://doi.org/10.1007/978-3-031-75764-8_13
Köhler DBüßemeyer MMeinel C(2024)Cybersecurity Awareness Education: Just as Useful for Technical UsersApplied Cryptography and Network Security Workshops10.1007/978-3-031-61489-7_15(204-208)Online publication date: 29-Jun-2024
https://doi.org/10.1007/978-3-031-61489-7_15
Liu ESun LBellon AHo GVoelker GSavage SMunyaka IKelley PKapadia A(2023)Understanding the viability of gmail's origin indicator for identifying the senderProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632191(77-96)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632191
Sarno DBlack J(2023)Who Gets Caught in the Web of Lies?: Understanding Susceptibility to Phishing Emails, Fake News Headlines, and Scam Text MessagesHuman Factors: The Journal of the Human Factors and Ergonomics Society10.1177/0018720823117326366:6(1742-1753)Online publication date: 1-May-2023
https://doi.org/10.1177/00187208231173263
Schiller KAdamsky FBenenson Z(2023)Towards an Empirical Study to Determine the Effectiveness of Support Systems against E-Mail Phishing AttacksExtended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544549.3585658(1-15)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544549.3585658
Baki SVerma R(2023)Sixteen Years of Phishing User Studies: What Have We Learned?IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.315110320:2(1200-1212)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3151103
Liguori CChu JKwak D(2023)A Study of Phishing Websites and Scan Evasion Techniques2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE)10.1109/CSCE60160.2023.00374(2299-2302)Online publication date: 24-Jul-2023
https://doi.org/10.1109/CSCE60160.2023.00374
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents