SlideShare a Scribd company logo

Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009

Download as PPT, PDF
Jason Hong
Jason Hong

An overview of our group's work on teaching people not to fall for phishing attacks, using simulated phish. The summary is that simulated phish work surprisingly well, in terms of learning and retention.

TechnologyBusiness
1 of 36
Jason Hong Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish
What are Effective Ways of Teaching People not to Fall for Phish?
PhishGuru Embedded Training • Use embedded training to teach people how to avoid phishing in regular use of email – People get simulated phishing email from good guys – Teach how to protect self in engaging format – Applies learning science for training • Motivating users – “teachable moment” • Started as research at CMU, product by Wombat Security Technologies
Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information Please login and enter your informationPlease login and enter your information http://www.amazon.com/exec/obidos/sign-in.htmlhttp://www.amazon.com/exec/obidos/sign-in.html
Tells people why they are seeing this message, uses engaging character Tells people why they are seeing this message, uses engaging character
Tells a story about what happened and what the risks are Tells a story about what happened and what the risks are
Gives concrete examples of how to protect oneself Gives concrete examples of how to protect oneself
Explains how criminals conduct phishing attacks Explains how criminals conduct phishing attacks
Series of User Studies Studies Results Lab study I • Security notices are ineffective • Users educated with PhishGuru made better decisions Lab study II • Users in embedded condition retain and transfer knowledge more effectively than other conditions even after 7 days Real-world study I • PhishGuru is effective in training people in the real world • Trained participants retained knowledge after 7 days of training Real-world study II • People trained with PhishGuru were less likely to click on phishing links than those not trained • People retained their training for 28 days • Two training messages are better than one • PhishGuru training does not make people less likely to click on legitimate links
First lab study results • Are security notices effective? – Ineffective for training • Is embedded training effective? – Embedded training condition made better decisions than those sent security notices Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. Protecting people from phishing: the design and evaluation of an embedded training email system. CHI ’07, pp. 905- 914.
Second lab study results • Can people retain what they learned? – Users educated with PhishGuru retained knowledge after seven days • Do people have to fall for phish? – Users trained with embedded did better than users trained with non-embedded Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., and Hong, J. Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. e-Crime Researchers Summit, Anti-Phishing Working Group (2007).
Real world study: Portuguese ISP • Does PhishGuru training extend to real world? – Did reduce rate of falling for phishing – Trained participants retained knowledge after 7 days of training – Don’t have to train all people in organization Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. Lessons from a real world evaluation of anti-phishing training. e-Crime Researchers Summit, 2008
Real world study: CMU • Replicate previous study at larger scale • Investigate retention after 1 week, 2 weeks, and 4 weeks • Compare effectiveness of 2 training messages vs 1 training message • Examine demographics and phishing P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. 2009. SOUPS 2009.
Study design • Sent email to all CMU students, faculty and staff to recruit participants (opt-in) • 515 participants in three conditions – Control / One training message / Two messages • Emails sent over 28 day period – 7 simulated spear-phishing messages – 3 legitimate (cyber security scavenger hunt) • Campus help desks and all spoofed departments notified before messages sent
Our Simulated Spear Phish URL is not hiddenURL is not hidden Plain text email without graphics Plain text email without graphics
Our Simulated Phishing Website http://andrewwebmail.org/password/change.htm?ID=9009http://andrewwebmail.org/password/change.htm?ID=9009
Our Simulated Phishing Website http://andrewwebmail.org/password/thankyou.html?ID=9009http://andrewwebmail.org/password/thankyou.html?ID=9009
Effect of PhishGuru Training Condition N % who clicked on Day 0 % who clicked on Day 28 Control 172 52.3 44.2 Trained 343 48.4 24.5
Results conditioned on participants who clicked on day 0 TestTest
Results conditioned on participants who clicked on day 0 Trained participants less likely to fall for phish Trained participants less likely to fall for phish Trained participants remember what they learned 28 days later Trained participants remember what they learned 28 days later Test + train Test + train TestsTests TestsTests
Results conditioned on participants who clicked on day 0 and day 14 Two-train participants less likely than one-train participants to click on days 16 and 21 Two-train participants less likely than one-train participants to click on days 16 and 21
Results conditioned on participants who clicked on day 0 and day 14 Two-train participants less likely than one-train participants to click on days 16 and 21 Two-train participants less likely than one-train participants to click on days 16 and 21 Two-train participants less likely than one-train participants to provide information on day 28 Two-train participants less likely than one-train participants to provide information on day 28
Does PhishGuru Affect Clicking on Legitimate Emails? Condition N Day 0 Day 7 Day 28 Clicked % Clicked % Clicked % Control 90 50.0 41.1 38.9 One-train 89 39.3 42.7 32.3 Two-train 77 48.1 44.2 35.1 For Cyber Security Scavenger Hunt No difference between the three conditions on days 7 and 28 For Cyber Security Scavenger Hunt No difference between the three conditions on days 7 and 28
Students Most Vulnerable • Students significantly more likely to fall for phish than staff before training • No significant differences based on student year, department, or gender • 18-25 age group most vulnerable Age group Day 0 Day 28 18-25 62% 36% 26-35 48% 16% 36-45 33% 18% 45 and older 43% 10%
Most Participants Liked PhishGuru, Wanted More • 280 post study responses • 80% recommended that CMU continue PhishGuru training – “I really liked the idea of sending CMU students fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful - here's how....” – “I think the idea of using something fun, like a cartoon, to teach people about a serious subject is awesome!”
Summary • People trained with PhishGuru far less likely to click on phishing links than not trained • People retained training for 28 days • Two training messages better than one • PhishGuru training does not make people less likely to click on legitimate links
For More Information • Forthcoming SOUPS 2009 paper • White paper on Wombat Security web site • PhishGuru commercialized by Wombat Security
Acknowledgments • Supporting Trust Decisions group • CyLab Usable Privacy and Security Lab • CMU’s Information Security Office • APWG • Supported by National Science Foundation, Army Research Office, CyLab, ISP in Portugal
Study schedule Day of the study Control One training message Two training messages Day 0 Test and real Train and real Train and real Day 2 Test Day 7 Test and real Day 14 Test Test Train Day 16 Test Day 21 Test Day 28 Test and real Day 35 Post-study survey
Why is Teaching People Hard?
Why is Teaching People Hard? • Problems – Existing materials good, but could be better • Not many opportunities for testing skills – Most people don’t proactively look for security training materials – “Security notice” emails tend to be ignored • Too much to read • People don’t consider them relevant
Legitimate emails No difference between the three conditions on day 0, 7, and 28 No difference between the three conditions on day 0, 7, and 28 No difference within the three conditions for the three emails No difference within the three conditions for the three emails Condition N Day 0 Day 7 Day 28 Clicked % Clicked % Clicked % Control 90 50.0 41.1 38.9 One-train 89 39.3 42.7 32.3 Two-train 77 48.1 44.2 35.1

Recommended

Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Jason Hong
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
 
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Jason Hong
 
Esafety in the curriculum October 2014
Esafety in the curriculum October 2014Esafety in the curriculum October 2014
Esafety in the curriculum October 2014bellla33
 
Online safety Ofsted 2015
Online safety Ofsted 2015Online safety Ofsted 2015
Online safety Ofsted 2015bellla33
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Ams Wmc 2011
Ams Wmc 2011Ams Wmc 2011
Ams Wmc 2011Stevesilde
 
Online abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationOnline abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationJisc
 

Recommended

Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Jason Hong
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
 
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Jason Hong
 
Esafety in the curriculum October 2014
Esafety in the curriculum October 2014Esafety in the curriculum October 2014
Esafety in the curriculum October 2014bellla33
 
Online safety Ofsted 2015
Online safety Ofsted 2015Online safety Ofsted 2015
Online safety Ofsted 2015bellla33
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Ams Wmc 2011
Ams Wmc 2011Ams Wmc 2011
Ams Wmc 2011Stevesilde
 
Online abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationOnline abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationJisc
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 
Potential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastPotential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastJisc
 
Understanding Social Media and eSafety - Moray College UHI
Understanding Social Media and eSafety - Moray College UHIUnderstanding Social Media and eSafety - Moray College UHI
Understanding Social Media and eSafety - Moray College UHIJisc Scotland
 
Esafety for Ofsted
Esafety for OfstedEsafety for Ofsted
Esafety for Ofstedbellla33
 
Te lance course-syllabus_digicitz
Te lance course-syllabus_digicitzTe lance course-syllabus_digicitz
Te lance course-syllabus_digicitzterilance
 
Te lance course-syllabus_digicitz
Te lance course-syllabus_digicitzTe lance course-syllabus_digicitz
Te lance course-syllabus_digicitzterilance
 
Cyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataCyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataTecnoIncentive
 
Keeping learners safe online presentation
Keeping learners safe online presentationKeeping learners safe online presentation
Keeping learners safe online presentationJisc
 
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Jason Hong
 
Digital literacy and Citizenship syllabus
Digital literacy and Citizenship syllabusDigital literacy and Citizenship syllabus
Digital literacy and Citizenship syllabusInternational School of Curitiba
 
Keynote e-Safety, Ofsted and the new computing Curriculum
Keynote e-Safety, Ofsted and the new computing Curriculum Keynote e-Safety, Ofsted and the new computing Curriculum
Keynote e-Safety, Ofsted and the new computing Curriculum Rebecca Avery
 
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docx
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docxBA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docx
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docxwilcockiris
 
Digital badging at the OU
Digital badging at the OUDigital badging at the OU
Digital badging at the OUDr Patrina Law
 
e-Assessment Workshop May 2018
e-Assessment Workshop May 2018e-Assessment Workshop May 2018
e-Assessment Workshop May 2018Charles Darwin University
 
OER10 Simshare Slides
OER10 Simshare SlidesOER10 Simshare Slides
OER10 Simshare SlidesYork University - Osgoode Hall Law School
 
OER10 Conference
OER10 ConferenceOER10 Conference
OER10 ConferenceYork University - Osgoode Hall Law School
 
Presentation 2 global innovations
Presentation 2 global innovationsPresentation 2 global innovations
Presentation 2 global innovationsYork University - Osgoode Hall Law School
 
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014e-Safety, Ofsted and the new Computing Curriculum for Governors 2014
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014Rebecca Avery
 
[DSC Europe 22] Machine learning algorithms as tools for student success pred...
[DSC Europe 22] Machine learning algorithms as tools for student success pred...[DSC Europe 22] Machine learning algorithms as tools for student success pred...
[DSC Europe 22] Machine learning algorithms as tools for student success pred...DataScienceConferenc1
 
Pr plan (official) 233
Pr plan (official) 233Pr plan (official) 233
Pr plan (official) 233Joi Archie
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

More Related Content

Similar to Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 
Potential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastPotential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastJisc
 
Understanding Social Media and eSafety - Moray College UHI
Understanding Social Media and eSafety - Moray College UHIUnderstanding Social Media and eSafety - Moray College UHI
Understanding Social Media and eSafety - Moray College UHIJisc Scotland
 
Esafety for Ofsted
Esafety for OfstedEsafety for Ofsted
Esafety for Ofstedbellla33
 
Te lance course-syllabus_digicitz
Te lance course-syllabus_digicitzTe lance course-syllabus_digicitz
Te lance course-syllabus_digicitzterilance
 
Te lance course-syllabus_digicitz
Te lance course-syllabus_digicitzTe lance course-syllabus_digicitz
Te lance course-syllabus_digicitzterilance
 
Cyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataCyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataTecnoIncentive
 
Keeping learners safe online presentation
Keeping learners safe online presentationKeeping learners safe online presentation
Keeping learners safe online presentationJisc
 
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Jason Hong
 
Keynote e-Safety, Ofsted and the new computing Curriculum
Keynote e-Safety, Ofsted and the new computing Curriculum Keynote e-Safety, Ofsted and the new computing Curriculum
Keynote e-Safety, Ofsted and the new computing Curriculum Rebecca Avery
 
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docx
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docxBA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docx
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docxwilcockiris
 
Digital badging at the OU
Digital badging at the OUDigital badging at the OU
Digital badging at the OUDr Patrina Law
 
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014e-Safety, Ofsted and the new Computing Curriculum for Governors 2014
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014Rebecca Avery
 
[DSC Europe 22] Machine learning algorithms as tools for student success pred...
[DSC Europe 22] Machine learning algorithms as tools for student success pred...[DSC Europe 22] Machine learning algorithms as tools for student success pred...
[DSC Europe 22] Machine learning algorithms as tools for student success pred...DataScienceConferenc1
 
Pr plan (official) 233
Pr plan (official) 233Pr plan (official) 233
Pr plan (official) 233Joi Archie
 

Similar to Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009 (20)

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
 
Potential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastPotential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - Mimecast
 
Understanding Social Media and eSafety - Moray College UHI
Understanding Social Media and eSafety - Moray College UHIUnderstanding Social Media and eSafety - Moray College UHI
Understanding Social Media and eSafety - Moray College UHI
 
Esafety for Ofsted
Esafety for OfstedEsafety for Ofsted
Esafety for Ofsted
 
Te lance course-syllabus_digicitz
Te lance course-syllabus_digicitzTe lance course-syllabus_digicitz
Te lance course-syllabus_digicitz
 
Te lance course-syllabus_digicitz
Te lance course-syllabus_digicitzTe lance course-syllabus_digicitz
Te lance course-syllabus_digicitz
 
Cyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataCyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded data
 
Keeping learners safe online presentation
Keeping learners safe online presentationKeeping learners safe online presentation
Keeping learners safe online presentation
 
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
 
Digital literacy and Citizenship syllabus
Digital literacy and Citizenship syllabusDigital literacy and Citizenship syllabus
Digital literacy and Citizenship syllabus
 
Keynote e-Safety, Ofsted and the new computing Curriculum
Keynote e-Safety, Ofsted and the new computing Curriculum Keynote e-Safety, Ofsted and the new computing Curriculum
Keynote e-Safety, Ofsted and the new computing Curriculum
 
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docx
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docxBA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docx
BA 632 INFORMATION SYSTEMS SECURITY Instructor Informat.docx
 
Digital badging at the OU
Digital badging at the OUDigital badging at the OU
Digital badging at the OU
 
e-Assessment Workshop May 2018
e-Assessment Workshop May 2018e-Assessment Workshop May 2018
e-Assessment Workshop May 2018
 
OER10 Simshare Slides
OER10 Simshare SlidesOER10 Simshare Slides
OER10 Simshare Slides
 
OER10 Conference
OER10 ConferenceOER10 Conference
OER10 Conference
 
Presentation 2 global innovations
Presentation 2 global innovationsPresentation 2 global innovations
Presentation 2 global innovations
 
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014e-Safety, Ofsted and the new Computing Curriculum for Governors 2014
e-Safety, Ofsted and the new Computing Curriculum for Governors 2014
 
[DSC Europe 22] Machine learning algorithms as tools for student success pred...
[DSC Europe 22] Machine learning algorithms as tools for student success pred...[DSC Europe 22] Machine learning algorithms as tools for student success pred...
[DSC Europe 22] Machine learning algorithms as tools for student success pred...
 
Pr plan (official) 233
Pr plan (official) 233Pr plan (official) 233
Pr plan (official) 233
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009

  • 1. Jason Hong Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish
  • 2. What are Effective Ways of Teaching People not to Fall for Phish?
  • 3. PhishGuru Embedded Training • Use embedded training to teach people how to avoid phishing in regular use of email – People get simulated phishing email from good guys – Teach how to protect self in engaging format – Applies learning science for training • Motivating users – “teachable moment” • Started as research at CMU, product by Wombat Security Technologies
  • 4. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
  • 5. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information Please login and enter your informationPlease login and enter your information http://www.amazon.com/exec/obidos/sign-in.htmlhttp://www.amazon.com/exec/obidos/sign-in.html
  • 6.
  • 7. Tells people why they are seeing this message, uses engaging character Tells people why they are seeing this message, uses engaging character
  • 8. Tells a story about what happened and what the risks are Tells a story about what happened and what the risks are
  • 9. Gives concrete examples of how to protect oneself Gives concrete examples of how to protect oneself
  • 10. Explains how criminals conduct phishing attacks Explains how criminals conduct phishing attacks
  • 11.
  • 12. Series of User Studies Studies Results Lab study I • Security notices are ineffective • Users educated with PhishGuru made better decisions Lab study II • Users in embedded condition retain and transfer knowledge more effectively than other conditions even after 7 days Real-world study I • PhishGuru is effective in training people in the real world • Trained participants retained knowledge after 7 days of training Real-world study II • People trained with PhishGuru were less likely to click on phishing links than those not trained • People retained their training for 28 days • Two training messages are better than one • PhishGuru training does not make people less likely to click on legitimate links
  • 13. First lab study results • Are security notices effective? – Ineffective for training • Is embedded training effective? – Embedded training condition made better decisions than those sent security notices Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. Protecting people from phishing: the design and evaluation of an embedded training email system. CHI ’07, pp. 905- 914.
  • 14. Second lab study results • Can people retain what they learned? – Users educated with PhishGuru retained knowledge after seven days • Do people have to fall for phish? – Users trained with embedded did better than users trained with non-embedded Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., and Hong, J. Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. e-Crime Researchers Summit, Anti-Phishing Working Group (2007).
  • 15. Real world study: Portuguese ISP • Does PhishGuru training extend to real world? – Did reduce rate of falling for phishing – Trained participants retained knowledge after 7 days of training – Don’t have to train all people in organization Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. Lessons from a real world evaluation of anti-phishing training. e-Crime Researchers Summit, 2008
  • 16. Real world study: CMU • Replicate previous study at larger scale • Investigate retention after 1 week, 2 weeks, and 4 weeks • Compare effectiveness of 2 training messages vs 1 training message • Examine demographics and phishing P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. 2009. SOUPS 2009.
  • 17. Study design • Sent email to all CMU students, faculty and staff to recruit participants (opt-in) • 515 participants in three conditions – Control / One training message / Two messages • Emails sent over 28 day period – 7 simulated spear-phishing messages – 3 legitimate (cyber security scavenger hunt) • Campus help desks and all spoofed departments notified before messages sent
  • 18. Our Simulated Spear Phish URL is not hiddenURL is not hidden Plain text email without graphics Plain text email without graphics
  • 19. Our Simulated Phishing Website http://andrewwebmail.org/password/change.htm?ID=9009http://andrewwebmail.org/password/change.htm?ID=9009
  • 20. Our Simulated Phishing Website http://andrewwebmail.org/password/thankyou.html?ID=9009http://andrewwebmail.org/password/thankyou.html?ID=9009
  • 21. Effect of PhishGuru Training Condition N % who clicked on Day 0 % who clicked on Day 28 Control 172 52.3 44.2 Trained 343 48.4 24.5
  • 22. Results conditioned on participants who clicked on day 0 TestTest
  • 23. Results conditioned on participants who clicked on day 0 Trained participants less likely to fall for phish Trained participants less likely to fall for phish Trained participants remember what they learned 28 days later Trained participants remember what they learned 28 days later Test + train Test + train TestsTests TestsTests
  • 24. Results conditioned on participants who clicked on day 0 and day 14 Two-train participants less likely than one-train participants to click on days 16 and 21 Two-train participants less likely than one-train participants to click on days 16 and 21
  • 25. Results conditioned on participants who clicked on day 0 and day 14 Two-train participants less likely than one-train participants to click on days 16 and 21 Two-train participants less likely than one-train participants to click on days 16 and 21 Two-train participants less likely than one-train participants to provide information on day 28 Two-train participants less likely than one-train participants to provide information on day 28
  • 26. Does PhishGuru Affect Clicking on Legitimate Emails? Condition N Day 0 Day 7 Day 28 Clicked % Clicked % Clicked % Control 90 50.0 41.1 38.9 One-train 89 39.3 42.7 32.3 Two-train 77 48.1 44.2 35.1 For Cyber Security Scavenger Hunt No difference between the three conditions on days 7 and 28 For Cyber Security Scavenger Hunt No difference between the three conditions on days 7 and 28
  • 27. Students Most Vulnerable • Students significantly more likely to fall for phish than staff before training • No significant differences based on student year, department, or gender • 18-25 age group most vulnerable Age group Day 0 Day 28 18-25 62% 36% 26-35 48% 16% 36-45 33% 18% 45 and older 43% 10%
  • 28. Most Participants Liked PhishGuru, Wanted More • 280 post study responses • 80% recommended that CMU continue PhishGuru training – “I really liked the idea of sending CMU students fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful - here's how....” – “I think the idea of using something fun, like a cartoon, to teach people about a serious subject is awesome!”
  • 29. Summary • People trained with PhishGuru far less likely to click on phishing links than not trained • People retained training for 28 days • Two training messages better than one • PhishGuru training does not make people less likely to click on legitimate links
  • 30. For More Information • Forthcoming SOUPS 2009 paper • White paper on Wombat Security web site • PhishGuru commercialized by Wombat Security
  • 31. Acknowledgments • Supporting Trust Decisions group • CyLab Usable Privacy and Security Lab • CMU’s Information Security Office • APWG • Supported by National Science Foundation, Army Research Office, CyLab, ISP in Portugal
  • 32.
  • 33. Study schedule Day of the study Control One training message Two training messages Day 0 Test and real Train and real Train and real Day 2 Test Day 7 Test and real Day 14 Test Test Train Day 16 Test Day 21 Test Day 28 Test and real Day 35 Post-study survey
  • 34. Why is Teaching People Hard?
  • 35. Why is Teaching People Hard? • Problems – Existing materials good, but could be better • Not many opportunities for testing skills – Most people don’t proactively look for security training materials – “Security notice” emails tend to be ignored • Too much to read • People don’t consider them relevant
  • 36. Legitimate emails No difference between the three conditions on day 0, 7, and 28 No difference between the three conditions on day 0, 7, and 28 No difference within the three conditions for the three emails No difference within the three conditions for the three emails Condition N Day 0 Day 7 Day 28 Clicked % Clicked % Clicked % Control 90 50.0 41.1 38.9 One-train 89 39.3 42.7 32.3 Two-train 77 48.1 44.2 35.1

Editor's Notes

  1. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  2. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  3. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  4. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  5. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  6. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  7. Mention why are these questions important? We showed that embedded works when u test participants immediately, but we don’t know how they will perform after 7 days? BECAUSE USERS HAVE REMEMBER WHAT YOU TEACH FOR SOME TIME…Knowledge retention (KR): The ability to apply the knowledge gained after a time period ANOTHER QUESTION IS, WHETHER USERS HAVE TO FALL FOR PHISHING TO GET TRAINED, THIS IS TO ADDRESS THE DELIVERY CHANNEL QUESTION… IF IT TURNS OUT TO BE SO, THEN WE DON’T HAVE TO MAKE THEM FALL FOR PHISHING.. We also don’t know how they will perform in a different situation…. GIVEN THE EARLIER RESEARCH RESULTS THAT USERS DON’T GENARALIZE, WE WANTED TO SEE CAN USERS TRANSFER… Knowledge transfer (KT): The ability to transfer the knowledge gained from one situation to another situation
  8. TO ADDRESS SOME OF THE LIMITATIONS IN THIS STUDY, I AM CURRENTLY DOING THIS EXCITING STUDY AMONG CMU STUDENTS/FACULTY/STAFF WHERE I AM PHISHING THEM FOR THE LAST 4 WEEKS… I WAS INTERESTED IN STUDYING LONG TERM RETENTION .. MORE THAN 1 WEEK.. SO IN THIS STUDY WE ARE STUDYING 4 WEEK RETENTION.. IN PREVIOUS STUDY WE STUDIED 1 TRAINING MATERIAL… HERE WE ARE STUDYING 2 MESSAGES… THIS STUDY IS REALLY IN THE WILD AND WE ARE COLLECTING LOT OF DATA…. I M STILL IN THE DATA COLLECTION MODE IN A FEW WEEKS, I SHOULD HAVE SOME RESULTS FROM THIS STUDY…
  9. TO ADDRESS SOME OF THE LIMITATIONS IN THIS STUDY, I AM CURRENTLY DOING THIS EXCITING STUDY AMONG CMU STUDENTS/FACULTY/STAFF WHERE I AM PHISHING THEM FOR THE LAST 4 WEEKS… I WAS INTERESTED IN STUDYING LONG TERM RETENTION .. MORE THAN 1 WEEK.. SO IN THIS STUDY WE ARE STUDYING 4 WEEK RETENTION.. IN PREVIOUS STUDY WE STUDIED 1 TRAINING MATERIAL… HERE WE ARE STUDYING 2 MESSAGES… THIS STUDY IS REALLY IN THE WILD AND WE ARE COLLECTING LOT OF DATA…. I M STILL IN THE DATA COLLECTION MODE IN A FEW WEEKS, I SHOULD HAVE SOME RESULTS FROM THIS STUDY…
  10. Spear phishing emails are targetted phishing emails COLLECTING VARIETY OF INFORMATION (HR, COMPLAINTS THAT ARE BEING LOGGED TO HELP CENTERS AND ISO) COUNTERBALANCING THE EMAILS COLLECTING DATA FOR LEGITIMATE EMAILS TO SEE WHETHER TRAIING INCREASES CONCERN
  11. Some email clients don’t show the html and so we used this way
  12. The idea in this slide is to show that training conditions did better than control conditions and it was significantdifferenc… There is an improvement of 50% among people in PhihsGuru training
  13. Graph is people who clicked on day 0 (trained in the training conditions). People in the training conditions retained knowledge until day 28
  14. Graph is people who clicked on day 0 (trained in the training conditions). People in the training conditions retained knowledge until day 28
  15. People who clicked on day 0 and day 14. This is to find how participants in two training conditions compare with participants in one training condition. Shows a significant difference on day 16, day 21 (next slide)
  16. People who clicked on day 0 and day 14. This is to find how participants in two training conditions compare with participants in one training condition. Shows a significant difference on day 16, day 21 (next slide)
  17. Similar effect for gave information too
  18. WALK THROUGH THE TABLE POINTING THE DIFFERENCES DEFINE REAL, TEST, AND TRAIN
  19. Similar effect for gave information too