5 research outputs found
NoPhish: An Anti-Phishing Education App
Phishing is still a prevalent issue in today’s Internet. It can have financial or personal consequences. Attacks continue to become more and more sophisticated and the advanced ones (including spear phishing) can only be detected if people carefully check URLs. We developed a game based smartphone app NoPhish to educate people in accessing, parsing and checking URLs; i.e. enabling them to distinguish trustworthy and non-trustworthy websites. Throughout several levels information is provided and phishing detection is exercised
Learn to Spot Phishing URLs with the Android NoPhish App
Part 3: Tools and Applications for TeachingInternational audiencePhishing is a münich issue in today’s Internet. It can have financial or personal consequences. Attacks continue to become more and more sophisticated and the advanced ones (including spear phishing) can only be detected if people carefully check URLs – be it in messages or in the address bar of the web browser. We developed a game-based smartphone app – NoPhish – to educate people in accessing, parsing and checking URLs; i.e. enabling them to distinguish between trustworthy and non-trustworthy messages and websites. Throughout several levels of the game information is provided and phishing detection is exercised in a playful manner. Several learning principles were applied and the interfaces and texts were developed in a user-centered design
Adopting the CMU/APWG anti-phishing landing page idea for Germany
Phishing attacks still pose a significant problem
and purely technical solutions cannot solve this problem. While
research literature in general shows that educating users in
security is hard, the Anti-Phishing Landing Page proposed by
CMU researchers seems promising as it appears in the most
teachable moment – namely once someone clicked on a link and
was very likely to fall for phishing. While this page is already in
use and exists in many languages we show that it is not effective
in Germany as most users leave the page immediately without
having read any advice. We therefore explore options to adopt
their ideas for Germany. We focus on which are the trustworthy
institutes that could provide such a landing page on their web
pages and what is an appropriate headline and design
An investigation of phishing awareness and education over time: When and how to best remind users
Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months
An investigation of phishing awareness and education over time: When and how to best remind users
Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months