Anti-Phishing Models: Main Challenges

Phishing is a form of online identity theft in which the attacker attempts to fraudulently retrieve a legitimate user\u27s account information, logon credentials or identity information in general. The compromised information is then used for withdrawing money online, taking out cash advances, or making purchases of goods and services on the accounts. Various solutions have been proposed and developed in response to phishing. As phishing is a business problem, the solutions target both non-technical and technical areas. This paper investigates the current anti-phishing solutions and critically reviews their usage, security weaknesses and their effectiveness. The analysis of these models points to a conclusion that technology alone will not completely stop phishing. What is necessary is a multi-tiered, organised approach: user awareness, technical and non-technical solutions should work together

Anti-Phishing Models: Main Challenges

Phishing is a form of online identity theft in which the attacker attempts to fraudulently retrieve a legitimate user\u27s account information, logon credentials or identity information in general. The compromised information is then used for withdrawing money online, taking out cash advances, or making purchases of goods and services on the accounts. Various solutions have been proposed and developed in response to phishing. As phishing is a business problem, the solutions target both non-technical and technical areas. This paper investigates the current anti-phishing solutions and critically reviews their usage, security weaknesses and their effectiveness. The analysis of these models points to a conclusion that technology alone will not completely stop phishing. What is necessary is a multi-tiered, organised approach: user awareness, technical and non-technical solutions should work together

Distributed Phishing Attacks

We identify and describe a new type of phishing attack that circumvents what is probably today\u27s most efficient defense mechanism in the war against phishing, namely the shutting down of sites run by the phisher. This attack is carried out using what we call a distributed phishing attack (DPA). The attack works by a per-victim personalization of the location of sites collecting credentials and a covert transmission of credentials to a hidden coordination center run by the phisher. We show how our attack can be simply and efficiently implemented and how it can increase the success rate of attacks while at the same time concealing the tracks of the phisher. We briefly describe a technique that may be helpful to combat DPAs

Phishing within e-commerce: reducing the risk, increasing the trust

E-Commerce has been plagued with problems since its inception and this study examines one of these problems: The lack of user trust in E-Commerce created by the risk of phishing. Phishing has grown exponentially together with the expansion of the Internet. This growth and the advancement of technology has not only benefited honest Internet users, but has enabled criminals to increase their effectiveness which has caused considerable damage to this budding area of commerce. Moreover, it has negatively impacted both the user and online business in breaking down the trust relationship between them. In an attempt to explore this problem, the following was considered: First, E-Commerce’s vulnerability to phishing attacks. By referring to the Common Criteria Security Model, various critical security areas within E-Commerce are identified, as well as the areas of vulnerability and weakness. Second, the methods and techniques used in phishing, such as phishing e-mails, websites and addresses, distributed attacks and redirected attacks, as well as the data that phishers seek to obtain, are examined. Furthermore, the way to reduce the risk of phishing and in turn increase the trust between users and websites is identified. Here the importance of Trust and the Uncertainty Reduction Theory plus the fine balance between trust and control is explored. Finally, the study presents Critical Success Factors that aid in phishing prevention and control, these being: User Authentication, Website Authentication, E-mail Authentication, Data Cryptography, Communication, and Active Risk Mitigation

Human-centered Information Security and Privacy: Investigating How and Why Social and Emotional Factors Affect the Protection of Information Assets

Information systems (IS) are becoming increasingly integrated into the fabric of our everyday lives, for example, through cloud-based collaboration platforms, smart wearables, and social media. As a result, nearly every aspect of personal, social, and professional life relies on the constant exchange of information between users and online service providers. However, as users and organizations entrust more and more of their personal and sensitive information to IS, the challenges of ensuring information security and privacy become increasingly pressing, particularly given the rise of cybercrime and microtargeting capabilities. While the protection of information assets is a shared responsibility between technology providers, legislation, organizations, and individuals, previous research has emphasized the pivotal role of the user as the last line of defense. Whereas prior works on human-centered information security and privacy have primarily studied the human aspect from a cognitive perspective, it is important to acknowledge that security and privacy phenomena are deeply embedded within users’ social, emotional, and technological environment. Therefore, individual decision-making and organizational phenomena related to security and privacy need to be examined through a socio-emotional lens. As such, this thesis sets out to investigate how and why socio-emotional factors influence information security and privacy, while simultaneously providing a deeper understanding of how these insights can be utilized to design effective security and privacy-enhancing tools and interventions. This thesis includes five studies that have been published in peer-reviewed IS outlets. The first strand of this thesis investigates individual decision-making related to information security and privacy. Daily information disclosure decisions, such as providing login credentials to a phishing website or giving apps access to one’s address book, crucially affect information security and privacy. In an effort to support users in their decision-making, research and practice have begun to develop tools and interventions that promote secure and privacy-aware behavior. However, our knowledge on the design and effectiveness of such tools and interventions is scattered across a diverse research landscape. Therefore, the first study of this thesis (article A) sets out to systematize this knowledge. Through a literature review, the study presents a taxonomy of user-oriented information security interventions and highlights crucial shortcomings of current approaches, such as a lack of tools and interventions that provide users with long-term guidance and an imbalance regarding cyber attack vectors. Importantly, the study confirms that prior works in this field tend to limit their scope to a cognitive processing perspective, neglecting the influence of social and emotional factors. The second study (article B) examines how users make decisions on disclosing their peers’ personal information, a phenomenon referred to as privacy interdependence. Previous research has shown that users tend to have a limited understanding of the social ramifications of their decisions to share information, that is, the impact of their disclosure decisions on others’ privacy. The study is based on a theoretical framework that suggests that for a user, recognizing and respecting others’ privacy rights is heavily influenced by the perceived salience of others within their own socio-technical environment. The study introduces an intervention aimed at increasing the salience of others’ personal data during the decision-making process, resulting in a significant decrease of interdependent privacy infringements. These findings indicate that current interfaces do not allow users to make informed decisions about their peers’ privacy – a problem that is highly relevant for policymakers and regulators. Shifting the focus towards an organizational context of individual security decision-making, the third study (article C) investigates employees’ underlying motives for reporting cyber threats. With the aim to maximize employees’ adoption of reporting tools, the study examines the effect of two tool design features on users’ utilitarian and hedonic motivation to report information security incidents. The findings suggest that reporting tools that elicit a sense of warm glow, that is, a boost of self-esteem and personal satisfaction after performing an altruistic act, result in higher tool adoption compared to those that address solely users’ utilitarian motivation. This unlocks a new perspective on organizational information security as a whole and showcases new ways in which organizations can engage users in promoting information security. The second strand of this thesis focuses on the context of organizational information security. Beyond individual decision-making, organizations face the challenge of maintaining an information security culture, including, for example, employees’ awareness of security risks, top management commitment, and interdepartmental collaboration with regard to security issues. The fourth study (article D) presents a measurement instrument to assess employees’ security awareness. Complementary to the predominant method of self-reported surveys, the study introduces an index based on employees’ susceptibility to simulated social engineering attacks. As such, it presents a novel way to measure security awareness that closes the intention-behavior gap and enables information security officers to nonintrusively monitor human vulnerabilities in real-time. Furthermore, the findings indicate that security education, training and awareness (SETA) programs not only increase employees’ awareness of information security risks, but also improve their actual security behavior. Finally, the fifth study (article E) investigates the influence of external socio-emotional disruption on information security culture. Against the backdrop of the COVID-19 pandemic, the longitudinal study reveals novel inhibitors and facilitators of information security culture that emerged in the face of global socially and emotionally disruptive change over the course of 2020. Specifically, the study demonstrates that such disruptive events can influence information security culture negatively, or – counterintuitively – positively, depending on prerequisites such as digital maturity and economic stability. Overall, this thesis highlights the importance of considering socio-emotional factors in protecting information assets by providing a more comprehensive understanding of why and how such factors affect human behavior related to information security and privacy. By doing so, this thesis answers calls for research that urge scholars to consider security and privacy issues in a larger social and emotional context. The studies in this thesis contribute to IS research on information security and privacy by (1) uncovering social and emotional motives as hitherto largely neglected drivers of users decision-making, (2) demonstrating how tools and interventions can leverage these motives to improve users’ protection of information assets, and (3) revealing the importance of external socio-emotional factors as a thus far under-investigated influence on organizational information security. In practice, this thesis offers actionable recommendations for designers building tools and interventions to support decision-making with regard to information security and privacy. Likewise, it provides important insights to information security officers on how to build a strong and resilient information security culture, and guides policymakers in accounting for socially embedded privacy phenomena

Counteracting phishing through HCI

Computer security is a very technical topic that is in many cases hard to grasp for the average user. Especially when using the Internet, the biggest network connecting computers globally together, security and safety are important. In many cases they can be achieved without the user's active participation: securely storing user and customer data on Internet servers is the task of the respective company or service provider, but there are also a lot of cases where the user is involved in the security process, especially when he or she is intentionally attacked. Socially engineered phishing attacks are such a security issue were users are directly attacked to reveal private data and credentials to an unauthorized attacker. These types of attacks are the main focus of the research presented within my thesis. I have a look at how these attacks can be counteracted by detecting them in the first place but also by mediating these detection results to the user. In prior research and development these two areas have most often been regarded separately, and new security measures were developed without taking the final step of interacting with the user into account. This interaction mainly means presenting the detection results and receiving final decisions from the user. As an overarching goal within this thesis I look at these two aspects united, stating the overall protection as the sum of detection and "user intervention". Within nine different research projects about phishing protection this thesis gives answers to ten different research questions in the areas of creating new phishing detectors (phishing detection) and providing usable user feedback for such systems (user intervention): The ten research questions cover five different topics in both areas from the definition of the respective topic over ways how to measure and enhance the areas to finally reasoning about what is making sense. The research questions have been chosen to cover the range of both areas and the interplay between them. They are mostly answered by developing and evaluating different prototypes built within the projects that cover a range of human-centered detection properties and evaluate how well these are suited for phishing detection. I also take a look at different possibilities for user intervention (e.g. how should a warning look like? should it be blocking or non-blocking or perhaps even something else?). As a major contribution I finally present a model that combines phishing detection and user intervention and propose development and evaluation recommendations for similar systems. The research results show that when developing security detectors that yield results being relevant for end users such a detector can only be successful in case the final user feedback already has been taken into account during the development process.Sicherheit rund um den Computer ist ein, für den durchschnittlichen Benutzer schwer zu verstehendes Thema. Besonders, wenn sich die Benutzer im Internet - dem größten Netzwerk unserer Zeit - bewegen, ist die technische und persönliche Sicherheit der Benutzer extrem wichtig. In vielen Fällen kann diese ohne das Zutun des Benutzers erreicht werden. Datensicherheit auf Servern zu garantieren obliegt den Dienstanbietern, ohne dass eine aktive Mithilfe des Benutzers notwendig ist. Es gibt allerdings auch viele Fälle, bei denen der Benutzer Teil des Sicherheitsprozesses ist, besonders dann, wenn er selbst ein Opfer von Attacken wird. Phishing Attacken sind dabei ein besonders wichtiges Beispiel, bei dem Angreifer versuchen durch soziale Manipulation an private Daten des Nutzers zu gelangen. Diese Art der Angriffe stehen im Fokus meiner vorliegenden Arbeit. Dabei werfe ich einen Blick darauf, wie solchen Attacken entgegen gewirkt werden kann, indem man sie nicht nur aufspürt, sondern auch das Ergebnis des Erkennungsprozesses dem Benutzer vermittelt. Die bisherige Forschung und Entwicklung betrachtete diese beiden Bereiche meistens getrennt. Dabei wurden Sicherheitsmechanismen entwickelt, ohne den finalen Schritt der Präsentation zum Benutzer hin einzubeziehen. Dies bezieht sich hauptsächlich auf die Präsentation der Ergebnisse um dann den Benutzer eine ordnungsgemäße Entscheidung treffen zu lassen. Als übergreifendes Ziel dieser Arbeit betrachte ich diese beiden Aspekte zusammen und postuliere, dass Benutzerschutz die Summe aus Problemdetektion und Benutzerintervention' ("user intervention") ist. Mit Hilfe von neun verschiedenen Forschungsprojekten über Phishingschutz beantworte ich in dieser Arbeit zehn Forschungsfragen über die Erstellung von Detektoren ("phishing detection") und das Bereitstellen benutzbaren Feedbacks für solche Systeme ("user intervention"). Die zehn verschiedenen Forschungsfragen decken dabei jeweils fünf verschiedene Bereiche ab. Diese Bereiche erstrecken sich von der Definition des entsprechenden Themas über Messmethoden und Verbesserungsmöglichkeiten bis hin zu Überlegungen über das Kosten-Nutzen-Verhältnis. Dabei wurden die Forschungsfragen so gewählt, dass sie die beiden Bereiche breit abdecken und auf die Abhängigkeiten zwischen beiden Bereichen eingegangen werden kann. Die Forschungsfragen werden hauptsächlich durch das Schaffen verschiedener Prototypen innerhalb der verschiedenen Projekte beantwortet um so einen großen Bereich benutzerzentrierter Erkennungsparameter abzudecken und auszuwerten wie gut diese für die Phishingerkennung geeignet sind. Außerdem habe ich mich mit den verschiedenen Möglichkeiten der Benutzerintervention befasst (z.B. Wie sollte eine Warnung aussehen? Sollte sie Benutzerinteraktion blockieren oder nicht?). Ein weiterer Hauptbeitrag ist schlussendlich die Präsentation eines Modells, dass die Entwicklung von Phishingerkennung und Benutzerinteraktionsmaßnahmen zusammenführt und anhand dessen dann Entwicklungs- und Analyseempfehlungen für ähnliche Systeme gegeben werden. Die Forschungsergebnisse zeigen, dass Detektoren im Rahmen von Computersicherheitsproblemen die eine Rolle für den Endnutzer spielen nur dann erfolgreich entwickelt werden können, wenn das endgültige Benutzerfeedback bereits in den Entwicklungsprozesses des Detektors einfließt