Developing and evaluating a five minute phishing awareness video

Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video

Development and Evaluation of an Anti-Phishing Shooting Game

Phishing attacks continue to pose a great threat to citizens and companies. This paper introduces a newly developed anti-phishing shooting game and describes the design and results of an evaluation study. The conclusion of the study is that the game can be an engaging measure to raise awareness among Internet users regarding phishing messages and to support users in recognizing such messages

An investigation of phishing awareness and education over time: When and how to best remind users

Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months

An investigation of phishing awareness and education over time: When and how to best remind users

Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months

Cybersecurity for Middle School Teachers

The COVID-19 pandemic changed the landscape of middle school education. It influenced how educators teach in the classroom and increased the number of online tools and resources available for them to use. The educational technology (edtech) sector boomed with different applications designed to help educators instruct and assess their students in virtual learning environments. Though many edtech companies developed applications that were instrumental in helping students and teachers, some of these applications were designed to collect sensitive information (e.g., data habits, keystrokes, and contact lists). In addition, many edtech companies distributed or sold this sensitive information to third-party companies whose purpose may or may not have been for education. To address this complex issue, the author developed an instructional module designed to train middle school teachers about cybersecurity issues. The goal of the instruction was to help these educators protect themselves and their students from cyber threats. The instruction itself used a variety of instructional design principles, as well as digital safety models and teaching and learning strategies. Both a usability test and a learning assessment were conducted to show how effective the design of the instructional tool was for teaching cybersecurity. The results of the evaluation revealed that the instructional module was informative, engaging, and relevant, suggesting that the future development of this module could be used to train all educators in practicing safe cybersecurity habits

Nurturing a Digital Learning Environment for Adults 55+

Being digitally competent means having competences in all areas of DigComp: Information and data literacy, Communication and collaboration, Digital content creation, Safety and Problem-solving. More than other demographic categories, adults 55+ have a wide range of levels of digitalization. Depending on their level of competences, individuals may join self-administered online courses to improve their skills, or they may need guidance from adult educators. Taking into consideration the above situation and willing to address adult learners regardless of their initial skill levels, the proposed educational programme is carefully designed for both: self-administrated and educator-led training. It comprises five totally innovative courses that can be separately taught or can be integrated into a complex programme delivered by adult education organizations. These courses are the result of an ERASMUS+ project “Digital Facilitator for Adults 55+”. Chapter 1 introduces the methodology for designing attractive and engaging educational materials for adults’ digital skills improvement. The methodology clarifies the inputs, the development process and the expected results. An ample explanation of the five phases of the 5E instructional strategy is presented to help adult educators build a sequence of coherent and engaging learning stages. With this approach, learners are supported to think, work, gather ideas, identify their own skill levels and needs, analyse their progress, and communicate with others under the guidance of educators. Following up on the proposed methodology, in Chapter 2 researchers from Formative Footprint (Spain), TEAM4Excellence (Romania), Voluntariat Pentru Viata (Romania) and Saricam Halk Egitimi Merkezi (Turkey) developed five course modules in line with the DIGCOMP - Digital Competence Framework for Citizens. These modules address the competence areas of information and data literacy, communication and collaboration, digital content creation, safety, and problem-solving. Each course module comprises digital textbooks, videos, interactive activities and means for evaluation developed using the 5E instructional model strategy. Understanding that accessibility is one of the main components of lifelong learning education, Chapter 3 of the manual provides an overview of the integration of educational materials, tools, instruments, video tutorials as well as DIFA55+ web app in the digital educational ecosystem. Finally, the authors formulate recommendations for usability and transferability that go beyond individuals, ensuring that educational materials are user-friendly and effective while making it easier to apply successful pedagogical approaches in other complementary educational contexts or projects.Grant Agreement—2021-1-RO01-KA220-ADU-000035297, Digital Facilitator for Adults 55

A Cognitive Theory-based Approach for the Evaluation and Enhancement of Internet Security Awareness among Children Aged 3-12 Years

In the age of technology, the Internet has spread widely and used for multiple purposes by users of all ages, especially children who start using it frequently to play in their spare time. With the use of the Internet, children must have a sufficient security awareness to avoid security risks found online. This study takes us through the journey of evaluating and enhancing the level of the Internet security awareness among a group of Saudi children aged 3-12 years. The developed evaluation survey shows that there is some awareness among the Saudi Children; however, they still need more concrete ways of ensuring secure practices as they showed a poor knowledge of proper Internet security practices in areas such as interacting with anonymous advertisements as well as understanding some of the Internet Security symbols. The study also presents a suggested Awareness Enhancement solution to raise the security awareness among children. The solution’s design takes into consideration the Piaget’s theory of children’s cognitive development, which states that children in different age groups have different perceptual and learning abilities. The test of the suggested solution shows a significant increase in the sample’s Internet security level. The work of this study emphasizes on the importance of targeting the Saudi children with interactive training sessions to raise their Internet security awareness level

WHERE DO YOU LOOK? RELATING VISUAL ATTENTION TO LEARNING OUTCOMES AND URL PARSING

Visual behavior provides a dynamic trail of where attention is directed. It is considered the behavioral interface between engagement and gaining information, and researchers have used it for several decades to study user\u27s behavior. This thesis focuses on employing visual attention to understand user\u27s behavior in two contexts: 3D learning and gauging URL safety. Such understanding is valuable for improving interactive tools and interface designs. In the first chapter, we present results from studying learners\u27 visual behavior while engaging with tangible and virtual 3D representations of objects. This is a replication of a recent study, and we extended it using eye tracking. By analyzing the visual behavior, we confirmed the original study results and added more quantitative explanations for the corresponding learning outcomes. Among other things, our results indicated that the users allocate similar visual attention while analyzing virtual and tangible learning material. In the next chapter, we present a user study\u27s outcomes wherein participants are instructed to classify a set of URLs wearing an eye tracker. Much effort is spent on teaching users how to detect malicious URLs. There has been significantly less focus on understanding exactly how and why users routinely fail to vet URLs properly. This user study aims to fill the void by shedding light on the underlying processes that users employ to gauge the UR L\u27s trustworthiness at the time of scanning. Our findings suggest that users have a cap on the amount of cognitive resources they are willing to expend on vetting a URL. Also, they tend to believe that the presence of www in the domain name indicates that the URL is safe

EXPERIMENTAL STUDY TO ASSESS THE IMPACT OF TIMERS ON USER SUSCEPTIBILITY TO PHISHING ATTACKS

Social engineering costs organizations billions of dollars. It exploits the weakest link of information systems security, the users. It is well-documented in literature that users continue to click on phishing emails costing them and their employers significant monetary resources and data loss. Training does not appear to mitigate the effects of phishing much; other solutions are warranted. Kahneman introduced the concepts of System-One and System-Two thinking. System-One is a quick, instinctual decision-making process, while System-Two is a process by which humans use a slow, logical, and is easily disrupted. The key aim of our experimental field study was to investigate if requiring the user to pause by presenting a countdown or count-up timer when a possible phishing email is opened will influence the user to enter System-Two thinking. In this study, we designed, developed, and empirically tested a Pause-and-Think (PAT) mobile app that presented a user with a warning dialog and a countdown or count-up timer. Our goal was to determine whether requiring users to wait with a colored warning and a timer has any effect on phishing attempts. The study was completed in three phases with 42 subject matter experts and 107 participants. The results indicated that a countdown timer set at 3-seconds accompanied by red warning text was most effective on the user’s ability to avoid clicking on a malicious link or attachment. Recommendations for future research include enhancements to the PAT mobile app and investigating what effect the time of day has on susceptibility to phishing

A Longitudinal Study of Factors that Affect User Interactions with Social Media and Email Spam

Given the rapid growth of social media and the increasing prevalence of spam, it is crucial to understand users’ interactions with unsolicited content to develop effective countermeasures against spam. This thesis focuses on exploring the factors that influence users’ decisions to interact with spam on social media and email. It builds upon prior work, which serves as a foundation for further research and conducting a longitudinal analysis. Our results are based on the analysis of 221 responses collected through an online survey. The survey not only gathered demographic information such as age, gender, and race but also collected data on education, spam training, interaction with spam, and experiences of being a victim of spam. With about 87% of respondents stating they sometimes, often, or always encounter spam on social media, only 23% interact with it sometimes, often, or always before knowing it was spam, and 10% sometimes, often, or always interact with social media spam after knowing it was spam. Of the 75% of the respondents who stated that they sometimes, often, or always encounter email spam, approximately 13% of the respondents stated that they sometimes, often, or always interact with email spam before knowing it is spam, and 6%s stated that they sometimes, often, or always interact with email spam after knowing it is spam. Although only 38% of the users stated that they may have been victims of social media spam and 21% stated that they may have been victims of email spam. Among the factors analyzed, only age had an effect on reporting email spam, but not social media spam. A STEM education was found to reduce the likelihood of being a victim of both social media and email spam, as well as reduce the likelihood of interacting with both email and social media spam, but only before users knew they were interacting with spam. Interestingly, formal spam training did not show any statistical significance in determining how users interact with, report, or become victims of social media spam, although there was an effect when observing the identification of email spam. To quantify the effect of different factors on individuals falling victim to spam on social media and email, a logistic regression analysis was performed. The research findings suggest that individuals with a higher attained degree and a STEM background are the least likely to be victims of spam