Content uploaded by Angela Sasse
Author content
All content in this area was uploaded by Angela Sasse on Nov 11, 2014
Content may be subject to copyright.
A preview of the PDF is not available
Security Education against Phishing: A Modest Proposal for a Major Rethink
Abstract and Figures
User education must focus on challenging and correcting the misconceptions that guide current user behavior. To date, user education on phishing has tried to persuade them to check URLs and a number of other indicators, with limited success. The authors evaluate a novel antiphishing tool in a realistic setting—participants had to buy tickets under time pressure and lost money if they bought from bad sites. Although none of the participants bought from sites the tool clearly identified as bad, 40 percent risked money with sites flagged as potentially risky, but offering bargains. When tempted by a good deal, participants didn't focus on the warnings; rather, they looked for signs they thought confirmed a site's trustworthiness.
Figures - uploaded by Angela Sasse
Author content
All figure content in this area was uploaded by Angela Sasse
Content may be subject to copyright.
... Misconceptions related to malware and deception on the Internet included statements about how malware can be spread and the damage it may cause, but also about phishing and malicious websites. Our 16 malware and deception-related statements were derived from literature about malware myths [46], and from literature on the trustworthiness of websites and user interaction with phishing [9,19]. One malware myth we integrated is "If I don't discover anything suspect on my computer, then it is not infected with malware." ...
... Except for the topics malware and HTTPS, participants older than 25 were more likely to hold misconceptions than participants younger than 25. We observed highest estimates for the topics Wi-Fi and private browsing, with the biggest differences between very young (18)(19)(20)(21)(22)(23)(24) and older participants -the highest value was observed for participants 55+ (0.27). Participants older than 40 ...
... The research was primarily funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy -EXC 2092 CASA -390781972 and also (partly) by the PhD School "SecHuman -Security for Humans in Cyberspace" by the federal state of NRW, Germany. (1) Austria & Germany, (2) US (1) "Malware Myth" in Cyberdanger [46] (2) Security education against phishing: A modest proposal for a major re-think [19] (3) Modelling User-Phishing Interaction [9] (1) The Netherlands, Belgium, Germany, Switzerland, Austria, the United Kingdom, Russia, Spain, Italy, Poland, and the US ...
Misconceptions about digital security and privacy topics in the general public frequently lead to insecure behavior. However, little is known about the prevalence and extent of such misconceptions in a global context. In this work, we present the results of the first large-scale survey of a global population on misconceptions: We conducted an online survey with n = 12, 351 participants in 12 countries on four continents. By investigating influencing factors of misconceptions around eight common security and privacy topics (including E2EE, Wi-Fi, VPN, and malware), we find the country of residence to be the strongest estimate for holding misconceptions. We also identify differences between non-Western and Western countries, demonstrating the need for region-specific research on user security knowledge, perceptions, and behavior. While we did not observe many outright misconceptions, we did identify a lack of understanding and uncertainty about several fundamental privacy and security topics.
... All these emails are trying to scare the reader into buying face masks. Other spikes, such as 6th of July 2020 and 14th of December, are also caused by phishing campaigns but with an alternative characteristic pattern and phishing scheme (i.e., Profiled purchasing ( Hamid and Abawajy, 2013 ) compulsive buying ( Halevi et al., 2015 ) deals too good to be true ( Kirlappos and Sasse, 2011 ) ( continued on next page ) ( Lastdrager, 2018;Ramzan and Wüest, 2007 ) peak pattern ( Drury et al., 2022 ) fake news headlines with link to a store (6th), and selling home warranty protection plans (14th)). If we decompose the peaks in the analysis of Fig. 4 into the topic clusters forming the peak, we observed that those peaks are constructed primarily by one topic cluster as seen with the peak on March 26th. ...
To design preventive policy measures for email phishing, it is helpful to be aware of the phishing schemes and trends that are currently applied. How phishing schemes and patterns emerge and adapt is an ongoing field of study. Existing phishing works already reveal a rich set of phishing schemes, patterns, and trends that provide insight into the mechanisms used. However, there seems to be limited knowledge about how email phishing is affected in periods of social disturbance, such as COVID-19 in which phishing numbers have quadrupled. Therefore, we investigate how the COVID-19 pandemic influences the phishing emails sent during the first year of the pandemic. The email content (header data and html body, excl. attachments) is evaluated to assess how the pandemic influences the topics of phishing emails over time (peaks and trends), whether email campaigns correlate with momentous events and trends of the COVID-19 pandemic, and what hidden content revealed. This is studied through an in-depth analysis of the body of 500.000 phishing emails addressed to Dutch registered top-level domains collected during the start of the pandemic. The study reveals that most COVID-19 related phishing emails follow known patterns indicating that perpetrators are more likely to adapt than to reinvent their schemes.
... Phishing Definitions: There is no clear definition of phishing. However, the focus falls on two main aspects: (1) phishing where attackers deceive users in order to access sensitive information (e.g., passwords, personal data, bank details) using authentic-looking phishing emails or web pages [11], [12], [26], [47], [55], [55], [56], [73], [80] and (2) phishing where attackers spread malware through links or attachments [8], [25], [33], [34], [42], [51], [70], [78], [87], [91]. We consider both (1) and (2) as phishing and our security awareness and education measure addresses them accordingly. ...
... Despite technology-based solutions such as phishing filters and popup blockers assisting online users in spotting fake websites and emails (Frauenstein, 2014), online users lack what security indicators signify; they ignore browser security warning alerts for monetary rewards (Kirlappos and Sasse, 2012), they do not want security warning alerts to disrupt their online activities, so they just focus on the areas of their interest that are most important to them (Krol, Moroz & Sasse 2012). The spelling errors in the URL structures, such as "g00gle. ...
Despite Emails and websites being widely used for communication, collaboration, and day-to-day activity, not all online users have the same knowledge and skills when determining the credibility of visited websites and email content. As a result, phishing, an identity theft cyber-attack that targets humans rather than computers, was born to harvest internet users' confidential information by taking advantage of human behavior and hurting an organization's continuity, reputation, and credibility. Because the success of phishing attacks depends on human behavior, using the Health-Belief Model, the study's objective is to examine significant factors that influence online users' security behavior in the context of Email and website-based phishing attacks. The model included eight predictor variables and was validated using quantitative data from 138 academic staff. The study findings exhibit that 4 out of 8 predictor variables, namely Perceived-Barriers, Perceived-Susceptibility, Self-efficacy, and Security-Awareness, are statistically significant in determining users' security behavior. The study's outcome is to assist in the appropriate design of both online and offline content for cyber security awareness programs, focusing on Email and website-based phishing attacks.
... Researchers have suggested further experiential studies on information security awareness programs and education. Thus, awareness training and its effect on end-user performance (is termed "risk score" herein) and adherence to protection strategies can prevent cyber-attacks (Ifinedo, 2012;Kirlappos & Sasse, 2012;Purkait, 2012;Wilding, 2016). Thus, awareness achieved via proper education can affect information security. ...
Cybersecurity awareness training plays a vital role for organizations in guaranteeing resources' availability. Sufficient education regarding security awareness necessitates relating both the scope and importance of the training. This research determines the correlation between an employee's risk score and the effectiveness of AI-based security awareness training to contend with cyber intimidations, limit and lessen data violations, and include the Unified Theory of Acceptance and Use of Technology. Prior research has revealed that at-risk employees' behavior and implementation of information security awareness training make up successful interventions. This research fills a literature gap by determining the relationships between the employees' risk scores and AI-based security awareness training programs' effectiveness. This study used a quantitative research design. The researcher analyzed survey responses using Pearson's Correlation and an independent t-test to determine if there were statistically significant relationships and differences between employees' risk scores and an AI-based security awareness training programs' effectiveness. The calculations came from a sample size of 200 participants from two different organizations, and the formula for determining results was G* Power (n=200). The Pearson product correlation of employee's risk scores and the effectiveness of the security awareness training program was statistically significant (r = .154, p < .05). The researcher also conducted an independent-samples t-test to compare the employees' risk scores by gender. There were no significant differences (t[198] =1.850, p=> 0.05) in scores. Male scores (M=25.074, SD = 5.9022) are higher than Female ones (M = 23.518, SD = 5.9522). The mean difference (which is 1.5563. 95% CI: -0.1026 to 3.2152) was minimal. The findings herein help interpret the role of information security awareness training in the workplace, promoting behavioral changes that would impede data violations by including the users' vulnerability and the severity of intimidation, and the response to a threat in prognosticating behavior intentions.
Frequent and habitual engagement with social media can reinforce certain activities such as sharing, clicking hyperlinks, and liking, which may be performed with insufficient cognition. In this study, we aimed to examine the associations between personality traits, habits, and information processing to identify social media users who are susceptible to phishing attacks. Our experimental data consisted of 215 social media users. The results revealed two important findings. First, users who scored high on the personality traits of extraversion, agreeableness, and neuroticism were more likely to engage in habitual behaviors that increase their susceptibility to phishing attacks, whereas those who scored high on conscientiousness were less likely. Second, users who habitually react to social media posts were more likely to apply heuristic processing, making them more susceptible to phishing attacks than those who applied systematic processing.
In order to keep one's computing systems and data secure, it is critical to be aware of how to effectively maintain security and privacy online. Prior experimental work has shown that social media are effective platforms for encouraging security-enhancing behavior. Through an analysis of historical social media logs of 38 participants containing almost 200,000 social media posts, we study the extent to which participants talked about security and privacy on social media platforms, specifically Facebook and Twitter. We found that interactions with posts that feature content relevant to security and privacy made up less than 0.09% of all interactions we observed. A thematic analysis of the security- and privacy-related posts that participants interacted with revealed that such posts very rarely discussed security and privacy constructively, instead often joking about security practices or encouraging undesirable behavior. Based on the overall findings from this thematic analysis, we develop and present a taxonomy of how security and privacy may be typically discussed on social networks, which is useful for constructing helpful security and privacy advice or for identifying advice that may have an undesirable impact. Our findings, though based on a fraction of the population of social media users, suggest that while social networks may be effective in influencing security behavior, there may not be enough substantial or useful discussions of security and privacy to encourage better security behaviors in practice and on a larger scale. Our findings highlight the importance of increasing the prevalence of constructive security and privacy advice on online social media in order to encourage widespread adoption of healthy security practices.
The move to ‘digital first’ has led to increasing dependence on online services, which increases susceptibility to security incidents. ¹ Human behaviours can compromise organisational information security, with myriad perpetrators willing to exploit the human propensity to trust in order to achieve such compromises. ² Phishing emails – which present recipients with an email containing a fraudulent link or a rogue attachment that can lead to the installation of malware or facilitate a ransomware attack – are a key attack vector. But encouraging users to slow down when processing emails can help combat this threat.
The halo effect is a systematic bias in attribute ratings resulting
from raters' tendency to rely on global affect rather than carefully
discriminating among conceptually distinct and potentially independent
brand attributes. Traditionally, researchers have regarded the halo
effect as a source of measurement error to be avoided. Discusses how
halo measurement can serve as a useful indicator of brand equity. Uses
consumer rating data in three categories of commonly purchased household
products to demonstrate the approach.
In this paper, we investigate how interpersonal cues of expertise affect trust in different media representations. Based on
a review of previous research, richer representations could lead either to a positive media bias (P1) or increased sensitivity for cues of expertise (P2). In a laboratory study, we presented 160 participants with two advisors — one represented by text-only; the other represented by one of four alternate formats: video, audio, avatar, or photo+text. Unknown to the participants, one was an expert (i.e. trained) and the other was a non-expert (i.e. untrained). We observed participants’ advice seeking and advice uptake to infer their sensitivity to correct advice in a situation of financial risk. We found that most participants preferred seeking advice from the expert, but we also found a tendency for seeking audio and in particular video advice. Users’ self-reports indicate that they believed that video in particular would give them the most detailed insight into expertise. Data for advice uptake, however, showed that all media representation, including text-only, resulted in good sensitivity to correct advice.
In this paper, we investigate how interpersonal cues of expertise affect trust in different media representations. Based on a review of previous research, richer representations could lead either to a positive media bias (P1) or increased sensitivity for cues of expertise (P2). In a laboratory study, we presented 160 participants with two advisors - one represented by text-only; the other represented by one of four alternate formats: video, audio, avatar, orphoto+text. Unknown to the participants, one was an expert (i.e. trained) and the other was a non-expert (i.e. untrained). We observed participants' advice seeking and advice uptake to infer their sensitivity to correct advice in a situation of financial risk. We found that most participants preferred seeking advice from the expert, but we also found a tendency for seeking audio and in particular video advice. Users' self-reports indicate that they believed that video in particular would give them the most detailed insight into expertise. Data for advice uptake, however, showed that all media representation, including text-only, resulted in good sensitivity to correct advice.
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
The present paper reports the effects of N2 addition and preheating of reactants on bluff-body stabilized coaxial LPG jet diffusion flame for two cases, namely, (I) preheated air and (II) preheated air and fuel. Experimental results confirm that N2 addition to the fuel stream leads to an enhancement in flame length, which may be attributed to the reduction in flame temperature. The soot free length fraction (SFLF) also increases, which might be caused by the decrease in fuel concentration and flame temperature. The flame length and also the SFLF are observed to be reduced with increasing temperature of reactants and lip thickness of the bluff body. The NOx
emission level for all burner configurations are found to be attenuated with nitrogen addition, which can be attributed to the reduction of the residence time of the gas mixture in the flame. The emission index of NOx
(EINOx
) also becomes enhanced with increasing lip thickness and reactant temperature due to an increased residence time and thermal effect, respectively.
We evaluate website authentication measures that are designed to protect users from man-in-the-middle, ?phishing?, and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant?s site-authentication image-the customer-selected image that many websites now expect their users to verify before entering their passwords. Finally, we replaced the bank?s password-entry page with a warning page. After each clue, we determined whether participants entered their passwords or withheld them. We also investigate how a study?s design affects participant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused instructions. We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 23 of the 25 (92%) participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants? security behavior: role-playing participants behaved significantly less securely than those using their own passwords.
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Se-curity advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims an-nually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.