ArticlePDF Available

Abstract and Figures

User education must focus on challenging and correcting the misconceptions that guide current user behavior. To date, user education on phishing has tried to persuade them to check URLs and a number of other indicators, with limited success. The authors evaluate a novel antiphishing tool in a realistic setting—participants had to buy tickets under time pressure and lost money if they bought from bad sites. Although none of the participants bought from sites the tool clearly identified as bad, 40 percent risked money with sites flagged as potentially risky, but offering bargains. When tempted by a good deal, participants didn't focus on the warnings; rather, they looked for signs they thought confirmed a site's trustworthiness.
Content may be subject to copyright.
A preview of the PDF is not available
... Therefore, it is worth understanding to conduct usability studies to emphasis how users interact with security toolbars. Previous research has been shown that both academic and government organizations have made a significant effort to deliver end-user education to enable public understanding of the importance of cyber security, especially in anti-phishing context [94]. The Anti-Phishing Work Group (APWG) [3] is a non-profit organisation working to provide anti-phishing education to improve the public understanding of computer security. ...
... While a great deal of efforts have been contributed to resolve the phishing issue by prevention and detection of phishing techniques related to emails, URLs and web sites, little research has been done in the area of end-user education to protect themselves from phishing threats [94]. Therefore, further research needs to aim at anti-phishing education to protect people from phishing attacks. ...
Preprint
Internet technology is so pervasive today, for example, from online social networking to online banking, it has made people's lives more comfortable. Due the growth of Internet technology, security threats to systems and networks are relentlessly inventive. One such a serious threat is "phishing", in which, attackers attempt to steal the user's credentials using fake emails or websites or both. It is true that both industry and academia are working hard to develop solutions to combat against phishing threats. It is therefore very important that organisations to pay attention to end-user awareness in phishing threat prevention. Therefore, the aim of our paper is twofold. First, we will discuss the history of phishing attacks and the attackers' motivation in details. Then, we will provide taxonomy of various types of phishing attacks. Second, we will provide taxonomy of various solutions proposed in literature to protect users from phishing based on the attacks identified in our taxonomy. Moreover, we have also discussed impact of phishing attacks in Internet of Things (IoTs). We conclude our paper discussing various issues and challenges that still exist in the literature, which are important to fight against with phishing threats.
... This underscores the imperative for users, be they employees within an organization, students in an educational institution, or general users, to acquire knowledge about phishing attacks. In this regard, Kirlappos et al. [52] explicitly argued that in today's highly digitalized era the chances of an online user coming across a cyberattack is quite significant due to the fact that fake websites are even appearing on renowned search engine platforms such as Google and Yahoo. Several latest and previous studies have been conducted related to the implementation of game-based learning in the models and frameworks for the control of various cybercrimes and SE attacks. ...
Article
Full-text available
Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals' limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. ~~~~~~ Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; ii) The secondary objective aims to heighten participants' awareness regarding the perils associated with divulging excessive information online. ~~~~~~ Methodology: To address these objectives, we have employed the following techniques and methods: i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. ~~~~~~ Results: Quantitative data and qualitative observations suggest the ``PhishDefend Quest" game successfully improved players' comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks.~~~~~~~~~ Conclusion: Through the evaluation, we can readily arrive at the following conclusions: i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks.
... In our study, instead, the URLs are set in a use context, i.e., as links in emails. This might show that when studying the impact of URL phishing techniques, it is very important to place them in a use context, where there are other factors that could distract the participants, as it happens in every day life (see halo-effect Kirlappos and Sasse (2012); Nisbett and Wilson (1977)). ...
... Tidak hanya pada operator komputer atau piranti yang digunakan dalam serangan kejahatan siber, edukasi juga perlu diberikan kepada masyarakat umum yang berpotensi untuk menjadi korban kejahatan siber. Pengguna internet, menurut Kirlappos & Sasse (2012), perlu mewaspadai tawaran diskon barang-barang bermerk yang dirasa mencurigakan, atau kiriman pesan yang berisi 'pemberitahuan darurat' yang menyuruh pengguna untuk melakukan tindakan segera. Di sisi lain, mengingat peramban/browser maupun aplikasi persuratan elektronik masa kini pada umumnya sudah menerapkan berbagai protokol keamanan, perlu juga diberikan edukasi mengenai bagaimana seseorang harus merespon ketika muncul tanda-tanda peringatan seperti pemberitahuan sertifikat laman situs web yang invalid, atau dugaan email berisi Spam. ...
Article
Full-text available
The understanding of the mechanism, modus operandi, and actors involved in a cybercrime is a crucial early step to design cybercrime countermeasure strategies. This paper discusses a hypothetical case of spearphishing that involves the perpetrators, victims, as well as the unwitting participants of the committed cybercrime. Four approaches in cybercrime countermeasures are afterwards elaborated for the aforementioned hypothetical case. It is concluded that countermeasures based on education are the type of countermeasure most feasible and most crucial to be implemented; however, all types of countermeasures have their limitations and therefore have to continuously evolve and develop along with the increasingly sophisticated cybercrime. Abstrak. Pemahaman mengenai mekanisme, modus operandi, serta pihak-pihak yang terlibat dalam kejahatan siber merupakan langkah awal yang penting untuk merancang strategi penanggulangan tindak kejahatan siber. Karya tulis ini membahas sebuah kasus hipotetis serangan spearphishing yang melibatkan pelaku, korban, beserta pihak-pihak lain yang tanpa disadari juga terlibat dalam kejahatan siber yang dilakukan. Empat jenis pendekatan dalam penanggulangan kejahatan siber dibahas untuk kasus hipotetis tersebut. Disimpulkan bahwa penanggulangan dengan pendekatan edukasi merupakan jenis penanggulangan yang paling memungkinkan dan paling penting untuk dilaksanakan; namun, setiap jenis penanggulangan memiliki keterbatasan dan harus terus dikembangkan seiring dengan juga kejahatan siber yang semakin canggih. Kata kunci: analisis, kejahatan siber, peran, spearphishing, studi kasus
... Other research shows that traditional and generic awareness-raising and training programs are not very effective [4,33] and that certain criteria need to be taken into account in order to bring about behavioral change. Instead of flooding employees with information and warnings and trying to turn them into security experts, employees' perspectives and decisionmaking processes should form the basis for developing security solutions [41]. Effective measures should be tailored to employees from different departments, foregoing organization-wide advice [38]. ...
Conference Paper
Full-text available
Phishing remains one of the most effective cyber threats in our digital world, affecting millions of organizations. Phishing education, training, and awareness programs are used to address employees' lack of knowledge about phishing attacks. However, despite being very expensive, these interventions are not always effective, mainly due to the lack of customization of training materials based on the employees' needs and profiles. In fact, creating customized training content for each employee and each context would require a huge effort from security practitioners and educators thus increasing costs even more. The proposal we present in this paper is to use Large Language Models to automate some steps in the design process of training content, which is tailored to the specific user profile.
Thesis
Die vorliegende Arbeit beschreibt die Konzeption und Entwicklung eines Ansatzes für das Requirements Engineering vertrauenswürdiger, digitaler Services. Der vertrauenschaffende Aspekt von Anforderungen an moderne, soziotechnische Systeme wird in bestehenden Modellen nicht im ausreichenden Maße gewürdigt. Im Kern soll ein Framework entwickelt werden, das die konstruktive Berücksichtigung vertrauenschaffender Anforderungen für diese Systeme durch geeignete Elemente ermöglicht, ohne die Bedeutung anderer Anforderungen zu mindern. Hierzu werden bestehende Service Engineering, Requirements Engineering und Vertrauenskonzeptionsmodelle qualitativ untersucht, um Übertragungs- und Differenzierungsbereiche im Hinblick auf den Lösungsansatz zu identifizieren. Parallel werden durch quantitative Begleitbetrachtungen reale Implikationen und Umstände wie beispielsweise der Nutzungsquote analysiert, die für die Berücksichtigung vertrauenschaffender Anforderungen soziotechnischer Systeme als digitale Services relevant sind. Das Generic Requirements Engineering Framework for Trustworthy Digital Services (GREF4TS) berücksichtigt Elemente aus den Bereichen Service Engineering, Requirements Engineering, Trust Engineering und Eigenschaften verwandter Disziplinen zur Konzeption soziotechnischer Systeme, um diesem Anspruch gerecht zu werden. Mithilfe der Umsetzung in einem Expertensystem sowie der exemplarischen Anwendung in einer realen Fallstudie wird der Ansatz hinsichtlich seiner Eignung, Anwendbarkeit und Einfluss auf die Wahrnehmung der Vertrauenswürdigkeit digitaler Services im Rahmen von Probandentests validiert.
Chapter
Phishing attacks, while more commonly associated with targeting individuals or organizations through traditional communication channels like email or social media, pose potential threats to unmanned aircraft systems (UAS) or drones. Although not as prevalent in this domain, there exist scenarios where phishing tactics could compromise UAS operations and data. Attackers might impersonate legitimate UAS entities, crafting emails that appear credible and relevant to UAS operations. A multi-stage approach incorporating natural language processing and machine learning is introduced to combat such threats. This approach employs techniques like conditional random field (CRF) and latent Dirichlet allocation (LDA) to detect phishing attacks and discern manipulated content. A novel web crawler utilizing web ontology language (OWL) is devised, leveraging semantic relationships to filter out fake sites from search results. The experimental results demonstrate the effectiveness of these methods in detecting and preventing phishing attacks across different platforms.
Chapter
There has been a notable increase in insider threats to information security (IS) globally. South African entities have thus not been spared, and the challenges relating to insider information security threats affect firms of all sizes and in all industries. It therefore follows that audit firms are not immune, as these rely on the trust given to them by their clients to keep their information secure. This is therefore a growing problem that has not spared entities in South Africa. The current study sought to evaluate the level of awareness and measures to safeguard client information from cyber related risks that emanate from within. The study employed a positivist research philosophy and a descriptive survey which focused on small to medium audit firms. A questionnaire was used for collecting data, which were analysed using descriptive statistical analysis. Findings showed that there was generally a high level of awareness amongst staff in the firms studied. Most firms have implemented suitable and relevant measures to safeguard client data electronically stored and or transmitted. Results also showed that most of the best practices utilised globally have been adopted in the audit firms under study. These include secure access methods like Virtual Private Network (VPN), internal firewalls, USB port locking, hard drive and memory stick encryption and the use of strong passwords. It was recommended that regulators and policy makers strive to provide the necessary guidance concerning client information security optimisation amongst audit firms, thus standardising this aspect and encouraging the adoption of best practices.
Article
Full-text available
The halo effect is a systematic bias in attribute ratings resulting from raters' tendency to rely on global affect rather than carefully discriminating among conceptually distinct and potentially independent brand attributes. Traditionally, researchers have regarded the halo effect as a source of measurement error to be avoided. Discusses how halo measurement can serve as a useful indicator of brand equity. Uses consumer rating data in three categories of commonly purchased household products to demonstrate the approach.
Chapter
Full-text available
In this paper, we investigate how interpersonal cues of expertise affect trust in different media representations. Based on a review of previous research, richer representations could lead either to a positive media bias (P1) or increased sensitivity for cues of expertise (P2). In a laboratory study, we presented 160 participants with two advisors — one represented by text-only; the other represented by one of four alternate formats: video, audio, avatar, or photo+text. Unknown to the participants, one was an expert (i.e. trained) and the other was a non-expert (i.e. untrained). We observed participants’ advice seeking and advice uptake to infer their sensitivity to correct advice in a situation of financial risk. We found that most participants preferred seeking advice from the expert, but we also found a tendency for seeking audio and in particular video advice. Users’ self-reports indicate that they believed that video in particular would give them the most detailed insight into expertise. Data for advice uptake, however, showed that all media representation, including text-only, resulted in good sensitivity to correct advice.
Conference Paper
In this paper, we investigate how interpersonal cues of expertise affect trust in different media representations. Based on a review of previous research, richer representations could lead either to a positive media bias (P1) or increased sensitivity for cues of expertise (P2). In a laboratory study, we presented 160 participants with two advisors - one represented by text-only; the other represented by one of four alternate formats: video, audio, avatar, orphoto+text. Unknown to the participants, one was an expert (i.e. trained) and the other was a non-expert (i.e. untrained). We observed participants' advice seeking and advice uptake to infer their sensitivity to correct advice in a situation of financial risk. We found that most participants preferred seeking advice from the expert, but we also found a tendency for seeking audio and in particular video advice. Users' self-reports indicate that they believed that video in particular would give them the most detailed insight into expertise. Data for advice uptake, however, showed that all media representation, including text-only, resulted in good sensitivity to correct advice.
Article
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
Article
The present paper reports the effects of N2 addition and preheating of reactants on bluff-body stabilized coaxial LPG jet diffusion flame for two cases, namely, (I) preheated air and (II) preheated air and fuel. Experimental results confirm that N2 addition to the fuel stream leads to an enhancement in flame length, which may be attributed to the reduction in flame temperature. The soot free length fraction (SFLF) also increases, which might be caused by the decrease in fuel concentration and flame temperature. The flame length and also the SFLF are observed to be reduced with increasing temperature of reactants and lip thickness of the bluff body. The NOx emission level for all burner configurations are found to be attenuated with nitrogen addition, which can be attributed to the reduction of the residence time of the gas mixture in the flame. The emission index of NOx (EINOx ) also becomes enhanced with increasing lip thickness and reactant temperature due to an increased residence time and thermal effect, respectively.
Article
We evaluate website authentication measures that are designed to protect users from man-in-the-middle, ?phishing?, and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant?s site-authentication image-the customer-selected image that many websites now expect their users to verify before entering their passwords. Finally, we replaced the bank?s password-entry page with a warning page. After each clue, we determined whether participants entered their passwords or withheld them. We also investigate how a study?s design affects participant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused instructions. We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 23 of the 25 (92%) participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants? security behavior: role-playing participants behaved significantly less securely than those using their own passwords.
Article
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Se-curity advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims an-nually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.