Cybersecurity ABCs by Barker Jessica;Davis Adrian;Hallas Bruce;Mc Mahon Ciarán;

Author:Barker, Jessica;Davis, Adrian;Hallas, Bruce;Mc Mahon, Ciarán;
Language: eng
Format: epub
Publisher: BCS Learning & Development Limited
Published: 2021-12-15T00:00:00+00:00

Anti-phishing

Phishing attacks seem to be the main vector for so many cyberattacks these days, and, as a result, CISOs have to design their behaviour change projects accordingly. As shown in Table 5.2, close to four-fifths of our survey respondents reported that they concentrated on phishing in training either ‘often’ or ‘constantly’.

Like password usage, phishing is one aspect of information security behaviour where there is relatively more scientific research. One study on phishing in 2017 is noteworthy. An American team led by Carella carried out a user study experiment with 150 university students that aimed to establish an educational standard for anti-phishing campaigns (Carella et al., 2017). Carried out over several weeks, participants received a variety of phishing email simulations and data was gathered on those emails within which they clicked on the links.

Participants were split into three groups that received different levels of anti-phishing training: a control group, which received no training at all; a presentation group, which received an in-class anti-phishing training presentation; and a documents group, who were directed to anti-phishing awareness documentation each time they clicked on a link in a simulated phishing email. Notably, the actual information received by both the presentation group and the documents group was essentially the same, only the manner of its communication differed. As you can probably deduce, the documents group were being treated with a form of positive punishment: they were being given something extra in order to try to decrease a behaviour.

Seven waves of phishing emails were sent out to each of these groups. In the first week, each group performed quite similarly, with click-through rates of over 50 per cent. This is shocking enough in and of itself – before any intervention took place, the participants were highly likely to click through on a link in a phishing email.

In the second week, the presentation group received their in-class anti-phishing training presentation. Thereafter this group’s click-through rate fell substantially – for a while. In waves 2, 3 and 4, the presentation group performed in the mid-30 per cent range, but by wave 7, the final week, their click-through rate was basically back where it started from, at 50 per cent. By the end of the experiment, the presentation group was performing on anti-phishing detection at the same rate as the control group, who had received no training at all. This kind of rebound may be familiar to anyone who’s ever carried out cybersecurity workshops in an attempt to change behaviour.

On the other hand, those in the documents group performed very well, with their click-through rates dropping from one week to the next. By the last wave, this group were clicking on a mere 8 per cent of links in phishing emails. Hence this method of phishing training – that is, redirecting to anti-phishing resources after clicking on a phishing link in a simulated attack – appears to have a solid scientific basis and is more effective than a classroom exercise.

However, given what we outlined above regarding the effects of

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.