An official website of the United States government
Abstract—Many organizations use internal phishing campaigns to gauge awareness and coordinate training efforts based on those findings. Ongoing content design is important for phishing training tools due to the influence recency has on phishing susceptibility. Traditional approaches for content development require significant investment and can be prohibitively costly, especially during the requirements engineering phase of software development and for applications that are constantly evolving. While prior research primarily depends upon already known phishing cues curated by experts, our project, Phish Finders, uses crowdsourcing to explore phishing cues through the unique perspectives and thought processes of everyday users in a realistic yet safe online environment, Zooniverse. This paper contributes qualitative analysis of crowdsourced comments that identifies novel cues, such as formatting and typography, which were identified by the crowd as potential phishing indicators. The paper also shows that crowdsourcing may have the potential to scale as a requirements engineering approach to meet the needs of content labeling for improved training tool development.
more »
« less
Characteristics that Predict Phishing Susceptibility: A Review
Phishing attack countermeasures have previously relied on technical solutions or user training. As phishing attacks continue to impact users resulting in adverse consequences, mitigation efforts may be strengthened through an understanding of how user characteristics predict phishing susceptibility. Several studies have identified factors of interest that may contribute to susceptibility. Others have begun to build predictive models to better understand the relationships among factors in addition to their prediction power, although these studies have only used a handful of predictors. As a step toward creating a holistic model to predict phishing susceptibility, it was first necessary to catalog all known predictors that have been identified in the literature. We identified 32 predictors related to personality traits, demographics, educational background, cybersecurity experience and beliefs, platform experience, email behaviors, and work commitment style.
more »
« less
- Award ID(s):
- 1723765
- PAR ID:
- 10350789
- Date Published:
- Journal Name:
- Proceedings of the Human Factors and Ergonomics Society Annual Meeting
- Volume:
- 65
- Issue:
- 1
- ISSN:
- 2169-5067
- Page Range / eLocation ID:
- 938 to 942
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Phone-based authenticators (PBAs) are commonly incorporated into multi-factor authentication and passwordless login schemes for corporate networks and systems. These systems require users to prove that they possess a phone or phone number associated with an account. The out-of-band nature of PBAs and their security may not be well understood by users. Further, the frequency of PBA prompts may desensitize users and lead to increased susceptibility to phishing or social engineering. We explore such risks to PBAs by exploring PBA implementation options and two types of attacks. When employed with a real-world PBA system, we found the symptoms of such attacks were subtle. A subsequent user study revealed that none of our participants noticed the attack symptoms, highlighting the limitations and risks associated with PBAs.more » « less
-
Within the last century, the global sea level has risen between 16 and 21 cm and will likely accelerate into the future. Projections from the Intergovernmental Panel on Climate Change (IPCC) show the global mean sea level (GMSL) rise may increase to up to 1 m (1000 mm) by 2100. The primary cause of the sea level rise can be attributed to climate change through the thermal expansion of seawater and the recession of glaciers from melting. Because of the complexity of the climate and environmental systems, it is very difficult to accurately predict the increase in sea level. The latest estimate of GMSL rise is about 3 mm/year, but as GMSL is a global measure, it may not represent local sea level changes. It is essential to obtain tailored estimates of sea level rise in coastline Florida, as the state is strongly impacted by the global sea level rise. The goal of this study is to model the sea level in coastal Florida using climate factors. Hence, water temperature, water salinity, sea surface height anomalies (SSHA), and El Niño southern oscillation (ENSO) 3.4 index were considered to predict coastal Florida sea level. The sea level changes across coastal Florida were modeled using both multiple regression as a broadly used parametric model and the generalized additive model (GAM), which is a nonparametric method. The local rates and variances of sea surface height anomalies (SSHA) were analyzed and compared to regional and global measurements. The identified optimal model to explain and predict sea level was a GAM with the year, global and regional (adjacent basins) SSHA, local water temperature and salinity, and ENSO as predictors. All predictors including global SSHA, regional SSHA, water temperature, water salinity, ENSO, and the year were identified to have a positive impact on the sea level and can help to explain the variations in the sea level in coastal Florida. Particularly, the global and regional SSHA and the year are important factors to predict sea level changes.more » « less
-
null (Ed.)Phishing emails are scam communications that pretend to be something they are not in order to get people to take actions they otherwise would not. We surveyed a demographically matched sample of 297 people from across the United States and asked them to share their descriptions of a specific experience with a phishing email. Analyzing these experiences, we found that email users' experiences detecting phishing messages have many properties in common with how IT experts identify phishing. We also found that email users bring unique knowledge and valuable capabilities to this identification process that neither technical controls nor IT experts have. We suggest that targeting training toward how to use this uniqueness is likely to improve phishing prevention.more » « less
-
Phishing emails have certain characteristics, including wording related to urgency and unrealistic promises (i.e., “too good to be true”), that attempt to lure victims. To test whether these characteristics affected users’ suspiciousness of emails, users participated in a phishing judgment task in which we manipulated 1) email type (legitimate, phishing), 2) consequence amount (small, medium, large), 3) consequence type (gain, loss), and 4) urgency (present, absent). We predicted users would be most suspicious of phishing emails that were urgent and offered large gains. Results supporting the hypotheses indicate that users were more suspicious of phishing emails with a gain consequence type or large consequence amount. However, urgency was not a significant predictor of suspiciousness for phishing emails, but was for legitimate emails. These results have important cybersecurity-related implications for penetration testing and user training.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- https://doi.org/10.1177/1071181321651330
