Online security attacks are a growing concern among Internet users. Currently, the Internet community is facing three types of security attacks: physical, syntactic, and semantic. Semantic attacks take advantage of the way humans interact with computers or interpret messages. There are three major approaches to countering semantic attacks: silently eliminating the attacks, warning users about the attacks, and training users not to fall for the attacks. The existing methods for silently eliminating the attack and warning users about the attack are unlikely to perform flawlessly and as users are the weakest link in these attacks, it is essential that user training complement other methods. The goal of my thesis is to show that computer users trained with an embedded training system, one grounded in the principles of learning science are able to make more accurate online trust decisions than users who read traditional security training materials, which are distributed via email or posted online. To achieve this goal, I focus on “phishing,” a type of semantic attack. I have developed a system called “PhishGuru” based on embedded training methodology and learning science principles. Embedded training is a methodology in which training materials are integrated into the primary tasks users perform in their day-to-day lives. In contrast to existing training methodologies, the PhishGuru shows training materials to users through emails at the moment (“teachable moment”) users actually fall for phishing attacks. I evaluated the embedded training methodology through laboratory and field studies. Real-world experiments showed that people trained with PhishGuru retain knowledge even after 28 days. PhishGuru training does not decrease users’ willingness to click on links in legitimate messages. The design principles established in this thesis will help researchers to develop systems that can train users in other risky online situations. PhishGuru is also being used in a real-world implementation of the Anti-Phishing Working Group Landing Page initiative. PhishGuru is currently being commercialized by Wombat Security Technologies.

1. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 1
CyLab Usable Privacy and Security Laboratory
h"p://cups.cs.cmu.edu/
PhishGuru: A System for Educa:ng
Users about Seman:c A"acks
Commi"ee Members:
Lorrie Cranor (Chair)
Jason Hong
Vincent Aleven
Rahul Tongia
Alessandro Acquis:
Ponnurangam Kumaraguru
Computation, Organizations
and Society
School of Computer Science

3. eBay: Urgent No:fica:on From Billing Department

4. We regret to inform you that your eBay account could be
suspended if you don’t re‐update your account informa:on.

5. h"ps://signin.ebay.com/ws/eBayISAPI.dll?
SignIn&sid=verify&co_partnerid=2&sidteid=0

6. h"p://www.kusi.org/hcr/eBay/ws23/eBayISAPI.htm

7. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 7
Phishing works
 73 million US adults received more than 50
phishing emails each in the year 2005
 Gartner es:mated 3.6 million adults lost $3.2
billion in phishing a"acks in 2007
 Financial ins:tu:ons and military are also
vic:ms
 Corporate espionage

8. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 8
Why phishing works
 Phishers take advantage of Internet users’
trust in legi:mate organiza:ons
 Lack of computer and security knowledge
[Dhamija et al.]
 People don’t use good strategies to protect
themselves [Downs et al.]

9. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 9
An:‐phishing strategies
 Silently eliminate the threat
– Find and take down phishing web sites
– Detect and delete phishing emails
 Warn users about the threat
– An:‐phishing toolbars and web browser features
 Train users not to fall for a"acks

10. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 10
Thesis statement
Computer users trained using an embedded
training system grounded in learning science
are able to make more accurate online trust
decisions than those who read tradi:onal
security training materials distributed via
email or posted on web sites

11. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 11
How do we get people trained?
 Problem
– Exis:ng materials good, but could be be"er
– Most people don’t proac:vely look for security training
materials
– “Security no:ce” emails sent to employees and/or
customers tend to be ignored
• Too much to read
• People don’t consider them relevant
 Solu:on
– Find a “teachable moment”: PhishGuru
– Make training fun: An:‐Phishing Phil
– Use learning science principles

12. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 12

14. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 14
My contribu:ons
 Real world impact
– APWG landing page viewed 500 :mes a day
– An:‐Phishing Phil, played over 100,000 :mes
 Theore:cal
– Users can be trained to make be"er online trust
decisions if training materials are
• embedded (during their regular use of emails)
• fun and interac:ve manner

15. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 15
My contribu:ons
 Ar:facts
– Design and evalua:on
• PhishGuru interven:ons
• An:‐Phishing Phil game
 Experimental
– A user study design and methodology that can be
used to test an:‐phishing training solu:ons
• Laboratory
• Real‐world

16. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 16
Outline
 Design and evalua:on of PhishGuru
interven:ons
 Evalua:on of PhishGuru system
– Laboratory
– Real‐world
 An:‐Phishing Working Group landing page
 An:‐Phishing Phil
 Remarks

17. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 17
Approaches for training
 Pos:ng ar:cles
– FTC, Microsol, …
 Phishing IQ test
– Mail Fron:er, …
 Class room training
– Robila et al.
 Security no:ce

18. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 18
User educa:on is challenging
 For most users, security is a secondary task
[Whi"en et al.]
 Users are not mo:vated to learn about
security and privacy [Anton et al.]
 It is difficult to teach people to make the right
online trust decision without increasing their
false posi:ve errors [Anandpara et al.]

19. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 19
Is user educa:on possible?
 Security educa:on “puts the burden on the wrong
shoulder.”
[Nielsen, J. 2004. User educaIon is not the answer to security problems. h"p://
www.useit.com/alertbox/20041025.html.]
 “Security user educa:on is a myth.”
[Gorling, S. 2006. The myth of user educaIon. In Proceedings of the 16th Virus Bulle:n
Interna:onal Conference.]
 “User educa:on is a complete waste of :me.
It is about as much use as nailing jelly to a wall…. They
are not interested…they just want to do
their job.”
[Mar:n Overton, a U.K.‐based security specialist at IBM, quoted in h"p://
news.cnet.com/2100‐7350_3‐6125213‐2.html]

21. 21

22. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 22
Web site training study
 Laboratory study of 28 non‐expert computer users
 Control group: evaluate 10 sites, 15 minute break to read
email or play solitaire, evaluate 10 more sites
 Experimental group: evaluate 10 sites, 15 minutes to read
web‐based training materials, evaluate 10 more sites
 Experimental group performed significantly be"er iden:fying
phish aler training
– But they had more false posi:ves
 People can learn from web‐based training materials, if only
we could get them to read them!
P. Kumaraguru, S. Sheng, A. Acquis:, L. Cranor, and J. Hong. Teaching Johnny Not
to Fall for Phish. CyLab Technical Report CMU‐CyLab‐07003, 2007.

23. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 23
PhishGuru

24. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 24
PhishGuru Embedded Training
 Can we “train” people during their normal use of
email to avoid phishing a"acks?
– Periodically, people receive a training email
– Training email looks like a phishing a"ack
– If a person falls for it, interven:on warns and
highlights what cues to look for in succinct and
engaging format
 Mo:va:ng users – “teachable moment”
 Applies learning science principles for designing
training interven:ons

25. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 25
Subject: Revision to Your Amazon.com Informa:on

26. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 26
Subject: Revision to Your Amazon.com Informa:on
Please login and enter your informa:on
h"p://www.amazon.com/exec/obidos/sign‐in.html

28. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 28
Design ra:onale
 Paper and HTML prototypes
 One page constraint
 Analyzed instruc:ons from most popular
websites
 Present the training materials when users click
on the link

29. Applies learning‐by‐doing
and immediate feedback
principles

30. Applies story‐based agent
principle

31. Applies con:guity principle
Presents procedural knowledge

32. Applies personaliza:on principle
Presents conceptual knowledge

34. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 34
Itera:ons

35. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 35
First interven:on

36. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 36
Interven:on: eBay

42. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 42
Focus group studies
 One with age group 18 – 55 and another with
age group greater than 65
 All age groups will read the interven:ons
 Everybody liked the gold fish and the comic
script format
 Par:cipants did not like the phisher character

45. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 45
Outline
 Design and evalua:on of PhishGuru
interven:ons
 Evalua:on of PhishGuru system
– Laboratory
– Real‐world
 An:‐Phishing Working Group landing page
 An:‐Phishing Phil
 Remarks

46. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 46
First lab study results
 Security no:ces are
an ineffec:ve
medium for training
users
 Users educated with
embedded training
make be"er
decisions than those
sent security no:ces
Kumaraguru, P., Rhee, Y., Acquis:, A., Cranor, L. F., Hong, J., and Nunge, E. Protec:ng people from
phishing: the design and evalua:on of an embedded training email system. CHI ’07, pp. 905‐914.

47. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 47
Second lab study results
 Users educated with PhishGuru retained
knowledge aler seven days
 Users trained with embedded did be"er than
users trained with non‐embedded
Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquis:, A., Cranor, L. F., and Hong, J. Gexng users
to pay a"en:on to an:‐phishing educa:on: Evalua:on of reten:on and transfer. e‐Crime
Researchers Summit, An:‐Phishing Working Group (2007).

48. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 48
Real world study: Portuguese ISP
 PhishGuru is effec:ve in training people in the
real world
 Trained par:cipants retained knowledge aler
7 days of training
Kumaraguru, P., Sheng, S., Acquis:, A., Cranor, L. F., and Hong, J. Lessons from a real world
evalua:on of an:‐phishing training. e‐Crime Researchers Summit, 2008

49. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 49
Real world study: CMU
 Evaluate effec:veness of PhishGuru training in
the real world
 Inves:gate reten:on aler 1 week, 2 weeks, and 4
weeks
 Compare effec:veness of 2 training messages
with effec:veness of 1 training message
P. Kumaraguru, J. Cranshaw, A. Acquis:, L. Cranor, J. Hong, M. A. Blair, and T.
Pham. School of Phish: A Real‐World Evalua:on of An:‐Phishing Training.
2009. Under review.

50. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 50
Study design
 Sent email to all CMU students, faculty and staff to
recruit par:cipants to opt‐in to study
 515 par:cipants in three condi:ons
– Control
– One training message
– Two training messages
 Emails sent over 28 day period
– 7 simulated spear‐phishing messages
– 3 legi:mate messages from ISO (cyber security scavenger
hunt)
 Exit survey

51. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 51
Implementa:on
 Unique hash in the URL for each par:cipant
 Demographic and department/status data
linked to each hash
 Form does not POST login details
 Campus help desks and all spoofed
departments were no:fied before messages
were sent

52. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 52
Study schedule
Day of the
study
Control One training
message
Two training
messages
Day 0 Test and real Train and real Train and real
Day 2 Test
Day 7 Test and real
Day 14 Test Test Train
Day 16 Test
Day 21 Test
Day 28 Test and real
Day 35 Post‐study survey

53. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 53
Simulated spear phishing message
URL is not hidden
Plain text email
without graphics

54. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 54
Simulated phishing website
h"p://andrewwebmail.org/password/change.htm?ID=9009

55. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 55
Simulated phishing website
h"p://andrewwebmail.org/password/thankyou.html?ID=9009

56. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 56
PhishGuru interven:on

57. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 57
Effect of PhishGuru
CondiIon N % who
clicked on
Day 0
% who
clicked on
Day 28
Control 172 52.3 44.2
Trained 343 48.4 24.5

58. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 58
Results condi:oned on par:cipants
who clicked on day 0 Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Day 2 Day 7 Day 14 Day 16 Day 21 Day 28
100
90
80
70
60
50
40
30
20
10
0
Percentage
Only Clicked
Clicked & Gave
Control (N = 90)
One-train (N = 89)
Two-train (N = 77)
Trained
par:cipants
less likely to
fall for phish

59. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 59
Results condi:oned on par:cipants
who clicked on day 0 Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Day 2 Day 7 Day 14 Day 16 Day 21 Day 28
100
90
80
70
60
50
40
30
20
10
0
Percentage
Only Clicked
Clicked & Gave
Control (N = 90)
One-train (N = 89)
Two-train (N = 77)
Trained
par:cipants
less likely to
fall for phish
Trained
par:cipants
remember
what they
learned 28
days later

60. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 60
Results condi:oned on par:cipants
who clicked on day 0 and day 14 Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Day 16
Only Clicked
Clicked & Gave
Control (N = 54)
One-train (N = 35)
Two-train (N = 34)
Day 21 Day 28
100
90
80
70
60
50
40
30
20
10
0
Percentage
Two‐train par:cipants less likely
than one‐train par:cipants to
click on days 16 and 21

61. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 61
Results condi:oned on par:cipants
who clicked on day 0 and day 14 Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Control
Onetrain
Twotrain
Day 16
Only Clicked
Clicked & Gave
Control (N = 54)
One-train (N = 35)
Two-train (N = 34)
Day 21 Day 28
100
90
80
70
60
50
40
30
20
10
0
Percentage
Two‐train par:cipants less likely
than one‐train par:cipants to
click on days 16 and 21
Two‐train par:cipants less likely
than one‐train par:cipants to
provide informa:on on day 28

62. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 62
Legi:mate emails
CondiIon N Day 0 Day 7 Day 28
Clicked % Clicked % Clicked %
Control 90 50.0 41.1 38.9
One‐train 89 39.3 42.7 32.3
Two‐train 77 48.1 44.2 35.1
No difference between the three
condi:ons on day 0, 7, and 28

63. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 63
Legi:mate emails
No difference between the three
condi:ons on day 0, 7, and 28
No difference within the three
condi:ons for the three emails
CondiIon N Day 0 Day 7 Day 28
Clicked % Clicked % Clicked %
Control 90 50.0 41.1 38.9
One‐train 89 39.3 42.7 32.3
Two‐train 77 48.1 44.2 35.1

64. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 64
Most par:cipants liked training,
wanted more
 280 complete post study responses
 80% recommended that CMU con:nue
PhishGuru training
– “I really liked the idea of sending CMU students fake
phishing emails and then saying to them, essen:ally,
HEY! You could've just go"en scammed! You should
be more careful ‐ here's how....”
– “I think the idea of using something fun, like a
cartoon, to teach people about a serious subject is
awesome!”

65. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 65
Summary from this study
 People trained with PhishGuru were less likely
to click on phishing links than those not
trained
 People retained their training for 28 days
 Two training messages are be"er than one
 PhishGuru training does not make people less
likely to click on legi:mate links

66. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 66
Summary of studies
Studies Results
Lab study I • Security no:ces are ineffec:ve
• Users educated with PhishGuru made be"er decisions
Lab study II • Users in embedded condi:on retain and transfer knowledge
more effec:vely than other condi:ons even aler 7 days
Real‐world
study I
• PhishGuru is effec:ve in training people in the real world
• Trained par:cipants retained knowledge aler 7 days of training
Real‐world
study II
• People trained with PhishGuru were less likely to click on
phishing links than those not trained
• People retained their training for 28 days
• Two training messages are be"er than one
• PhishGuru training does not make people less likely to click on
legi:mate links

67. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 67
Outline
 Design and evalua:on of PhishGuru
interven:ons
 Evalua:on of PhishGuru system
– Laboratory
– Real‐world
 An:‐Phishing Working Group landing page
 An:‐Phishing Phil
 Remarks

68. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 68
Current situa:on
Phishing sites
iden:fied
Phishing sites
taken down
Consumers click
on links

69. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 69
APWG landing page
Phishing sites
iden:fied
Phishing sites
taken down
Consumers click
on links

70. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 70
Implementa:on and results
 h"p://educa:on.apwg.org
 Collect and analyze log files
 Add the phishing URL in the HTTP request
 Being translated into 15 languages
 56,699 teachable moments
 Phishing emails
– are s:ll tradi:onal
– have lot of formaxng and gramma:cal errors

71. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 71
Outline
 Design and evalua:on of PhishGuru
interven:ons
 Evalua:on of PhishGuru system
– Laboratory
– Real‐world
 An:‐Phishing Working Group landing page
 An:‐Phishing Phil
 Remarks

72. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 72
An:‐Phishing Phil
 Online game
 h"p://wombatsecurity.com/an:phishingphil
 Teaches people how to protect themselves from
phishing a"acks
– iden:fy phishing URLs
– use web browser cues
– find legi:mate sites with search engines
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquis:, L. Cranor, J. Hong, and E. Nunge.
An:‐Phishing Phil: The Design and Evalua:on of a Game That Teaches People Not
to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and
Security, Pi"sburgh, PA, July 18‐20, 2007.

73. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 73

74. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 74
Outline
 Design and evalua:on of PhishGuru
interven:ons
 Evalua:on of PhishGuru system
– Laboratory
– Real‐world
 An:‐Phishing Working Group landing page
 An:‐Phishing Phil
 Remarks

76. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 76
Security user educa:on is possible
 Conven:onal wisdom: end‐user security
educa:on does not work
 My work shows: you can teach Johnny not to
fall for phish
 Aim to reduce computer security threats
through technology and enforcement
 Complement these efforts
with user educa:on

77. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 77
Design principles
 Integrate security educa:on into users’ primary
tasks
 Apply instruc:onal design principles to
interven:ons
– Comic strip format
– Fun and interac:ve
– Story format
 Format instruc:ons as a list of ac:onable items
 Make training repe::ve
 Keep training messages short and simple

78. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 78
My research contribu:ons
 Privacy and security
– Users can be educated
– Methodology for solving phishing
 Learning science
– Applying to privacy & security
– Development of embedded training
 Human computer interac:on
– Designing instruc:onal materials
– Understanding users’ strategies

79. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 79
Research to reality
 PhishGuru commercialized
 Co‐founded by faculty at CMU
– Dr. Lorrie Cranor
– Dr. Jason Hong
– Dr. Norman Sadeh

80. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 80
Future work
 Applying embedded training in other
scenarios
 Tes:ng other mediums of training
 Studying longer reten:on and the effect of
more training

81. CyLab Usable Privacy and Security Laboratory h7p://www.cs.cmu.edu/~ponguru 81
Acknowledgements
 Members of Suppor:ng Trust Decisions
research group
 Members of CyLab Usable Privacy and Security
laboratory
 Members of COS Ph.D. program, ISO, APWG
 Supported by NSF, ARO, CyLab, ISP in Portugal
Hajin YongShellyJerry

82. http://phishguru.org/
CyLab Usable Privacy
and Security Laboratory
http://www.cs.cmu.edu/~ponguru/
Learn how to protect
yourself from
phishing attacks.