6 research outputs found
Privacy indexes : a survey of Westin's studies
Abstract: "Since the late 1970 s Dr. Alan Westin has conducted over 30 privacy surveys. For each of his surveys, Westin has created one or more Privacy Indexes to summarize his results and to show trends in privacy concerns. Many privacy researchers are interested in using these privacy indexes as benchmarks to which they can compare their own survey results. However, the details of how the indexes were calculated have not been reported except in the original survey reports. These reports were originally distributed in paper form, and many are no longer readily available. We obtained paper copies of five of these survey reports and found a sixth report online. We also found summaries of eight additional reports online. Here we report on the methodology used each year to calculate the privacy indexes and draw some conclusions about which indexes can be used to infer privacy trends.
Teaching Johnny Not to Fall for Phish
Phishing attacks exploit users’ inability to distinguish legitimate websites from fake ones. Strategies for combating phishing include: prevention and detection of phishing scams, tools to help users identify phishing web sites, and training users not to fall for phish. While a great deal of effort has been devoted to the first two approaches, little research has been done in the area of training users. Some research even suggests that users cannot be educated. However, previous studies have not evaluated the quality of the training materials used in their user studies or considered ways of designing more effective training materials. In this paper we present the results of a user study we conducted to test the effectiveness of existing online training materials that teach people how to protect themselves from phishing attacks. We found that these training materials are surprisingly effective when users actually read them. We then analyze the training materials using principles from learning sciences, and provide some suggestions on how to improve training materials based on those principles
Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System
Phishing attacks, in which criminals lure Internet users to
websites that impersonate legitimate sites, are occurring with
increasing frequency and are causing considerable harm to
victims. In this paper we describe the design and evaluation
of an embedded training email system that teaches people
about phishing during their normal use of email. We
conducted lab experiments contrasting the effectiveness of
standard security notices about phishing with two embedded
training designs we developed. We found that embedded
training works better than the current practice of sending
security notices. We also derived sound design principles for
embedded training systems
Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System
Phishing attacks, in which criminals lure Internet users to
websites that impersonate legitimate sites, are occurring
with increasing frequency and are causing considerable
harm to victims. In this paper we describe the design and
evaluation of an embedded training email system that
teaches people about phishing during their normal use of
email. We conducted lab experiments contrasting the
effectiveness of standard security notices about phishing
with two embedded training designs we developed. We
found that embedded training works better than the current
practice of sending security notices. We also derived sound
design principles for embedded training systems
School of Phish: A Real-World Evaluation of Anti-Phishing Training
PhishGuru is an embedded training system that teaches
users to avoid falling for phishing attacks by delivering a
training message when the user clicks on the URL in a simulated
phishing email. In previous lab and real-world experiments,
we validated the effectiveness of this approach.
Here, we extend our previous work with a 515-participant,
real-world study in which we focus on long-term retention
and the effect of two training messages. We also investigate
demographic factors that influence training and general
phishing susceptibility. Results of this study show that (1)
users trained with PhishGuru retain knowledge even after
28 days; (2) adding a second training message to reinforce
the original training decreases the likelihood of people giving
information to phishing websites; and (3) training does
not decrease users’ willingness to click on links in legitimate
messages. We found no significant difference between males
and females in the tendency to fall for phishing emails both
before and after the training. We found that participants
in the 18-25 age group were consistently more vulnerable to
phishing attacks on all days of the study than older participants.
Finally, our exit survey results indicate that most
participants enjoyed receiving training during their normal
use of email
Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer
Educational materials designed to teach users not to fall for
phishing attacks are widely available but are often ignored by
users. In this paper, we extend an embedded training methodology
using learning science principles in which phishing education is
made part of a primary task for users. The goal is to motivate
users to pay attention to the training materials. In embedded
training, users are sent simulated phishing attacks and trained after
they fall for the attacks. Prior studies tested users immediately
after training and demonstrated that embedded training improved
users’ ability to identify phishing emails and websites. In the
present study, we tested users to determine how well they retained
knowledge gained through embedded training and how well they
transferred this knowledge to identify other types of phishing
emails. We also compared the effectiveness of the same training
materials delivered via embedded training and delivered as regular
email messages. In our experiments, we found that: (a) users learn
more effectively when the training materials are presented after
users fall for the attack (embedded) than when the same training
materials are sent by email (non-embedded); (b) users retain and
transfer more knowledge after embedded training than after nonembedded
training; and (c) users with higher Cognitive Reflection
Test (CRT) scores are more likely than users with lower CRT
scores to click on the links in the phishing emails from companies
with which they have no account