Abstract
The objective of this paper is to report back on an organizational framework, which consisted of human, organization and technology (HOT) dimensions in holistically addressing aspects associated with phishing. Most anti-phishing literature studied either focused on technical controls or education in isolation however; education is core to all aspects in the above-mentioned framework. It is evident, from literature, that little work has been conducted on anti-phishing preventative measures in the context of organizations but rather from a personal user-level. In the framework, the emphasis is placed on the human factors in addressing phishing attacks.
Chapter PDF
Similar content being viewed by others
References
Beznosov, K., Beznosova, O.: On the imbalance of the security problem space and its expected consequences. Information Management & Computer Security 15, 420–431 (2007)
Cobb, M.: Preventing phishing attacks: Enterprise best practices. SearchSecurity.co.uk. (2010)
Colwill, C.: Human factors in information security: The insider threat - Who can you trust these days? Information Security Technical Report 30, 1–11 (2010)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM, Montreal (2006)
Downs, J.S., Holbrook, M., Cranor, L.F.: Behavioral response to phishing risk. In: Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, pp. 37–44. ACM, Pittsburgh (2007)
Drake, C.E., Oliver, J.J., Koontz, E.J.: Anatomy of a Phishing Email. In: Conference on Email and Anti-Spam (CEAS). Citeseer (2004)
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: 26th Annual SIGCHI Conference on Human Factors in Computing Systems, pp. 106–1074. ACM, Florence (2008)
Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: 16th International Conference on World Wide Web, pp. 649–656. ACM, Banff (2007)
Frauenstein, E.D., von Solms, R.: Phishing: How an organisation can protect itself. In: Information Security South Africa, Johannesburg, South Africa, July 6-8, pp. 253–268 (2009)
Frauenstein, E.D., von Solms, R.: The Wild Wide West of Social Networking Sites. In: South African Information Security Multi-Conference, Port Elizabeth, South Africa, May 17-18, pp. 74–88 (2010)
Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: 2007 ACM Workshop on Recurring Malcode, pp. 1–8. ACM, Alexandria (2007)
Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Technol. 8, 1–36 (2008)
Hinson, G.: Human factors in information security (2003), http://www.infosecwriters.com/text_resources/pdf/human_factors.pdf
Jakobsson, M.: The Human Factor in Phishing. Privacy & Security of Consumer Information (2007), http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.68.8721&rep=rep1&type=pdf
Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security:Pathways to vulnerabilities. Computers & Security 28, 509–520 (2009)
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10, 1–31 (2010)
Leavitt, N.: Instant Messaging: A new target for hackers, pp. 20–33. IEEE Press (2005)
Mitnick, K.D., Simon, W.L., Wozniack, S.: The Art of Deception: Controlling the Human Element of Security. Wiley, New York (2002)
Ohaya, C.: Managing phishing threats in an organization. In: 3rd Annual Conference on Information Security Curriculum Development, pp. 159–161. ACM, Kennesaw (2006)
Ollman, G.: The Phishing Guide, white paper (2008), http://www.ngssoftware.com/papers/NISR-WP-Phishing.pdf
Orgill, G.L., Romney, G.W., Bailey, M.G., Orgill, P.M.: The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems. In: 5th Conference on IT Education, pp. 177–181. ACM, Salt Lake City (2004)
Patel, D., Luo, X.: Take a close look at phishing. In: 4th Annual Conference on Information Security Curriculum Development, pp. 1–4. ACM, Kennesaw (2007)
Raffetseder, T., Kirda, E., Kruegel, C.: Building Anti-Phishing Browser Plug-Ins: An Experience Report. In: 3rd International Workshop on Software Engineering for Secure Systems. IEEE Computer Society (2007)
Robila, S.A., Ragucci, J.W.: Don’t be a phish: steps in user education. In: 11th Annual SIGCSE Conference on Innovation and Technology in Computer Science Education, pp. 237–241. ACM, Bologna (2006)
SANS, Information technology-Security techniques-Code of practice for information security management. ISO/IEC 27002:2005. Standards South Africa (2008)
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: 3rd Symposium on Usable Privacy and Security, pp. 88–99. ACM, Pittsburgh (2007)
Sophos, Phishing and the threat to corporate networks (white paper). (2005), http://www.sophos.com/whitepapers/sophos-phishing-wpuk.pdf
Thomson, K.-L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud & Security (2006)
von Solms, S.H., von Solms, R.: Information Security Governance. Springer, New York (2009)
Werlinger, R., Hawkey, K., Beznosov, K.: Human, Organizational and Technological Challenges of Implementing IT Security in Organizations. In: Human Aspects of Information Security and Assurance, Plymouth, England, pp. 35–48 (2008)
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM, Montreal (2006)
Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: 16th International Conference on World Wide Web, pp. 639–648. ACM, Banff (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Frauenstein, E.D., von Solms, R. (2013). An Enterprise Anti-phishing Framework. In: Dodge, R.C., Futcher, L. (eds) Information Assurance and Security Education and Training. WISE WISE WISE 2013 2011 2009. IFIP Advances in Information and Communication Technology, vol 406. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39377-8_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-39377-8_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39376-1
Online ISBN: 978-3-642-39377-8
eBook Packages: Computer ScienceComputer Science (R0)