Don’t click: towards an effective anti-phishing training. A comparative literature review

@article{Jampen2020DontCT,
  title={Don’t click: towards an effective anti-phishing training. A comparative literature review},
  author={Daniel Jampen and G{\"u}rkan G{\"u}r and Thomas Sutter and Bernhard Tellenbach},
  journal={Human-centric Computing and Information Sciences},
  year={2020},
  volume={10},
  pages={1-41}
}
Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and… 

SoK: Human-Centered Phishing Susceptibility

TLDR
A three-stage Phishing Susceptibility Model (PSM) is proposed for explaining how humans are involved in phishing detection and prevention, and systematically investigate the phishing susceptibility variables studied in the literature and taxonomize them using this model.

Falling for Phishing: An Empirical Investigation into People's Email Response Behaviors

TLDR
An empirical study to investigate how people make response decisions while reading their emails and identifies eleven factors that influence people’s response decisions to both phishing and legitimate emails.

A Systematic Literature Review on Phishing and Anti-Phishing Techniques

TLDR
Research study evaluated that spear phishing, Email Spoofing, Email Manipulation and phone phishing are the most commonly used phishing techniques and according to the SLR, machine learning approaches have the highest accuracy of preventing and detecting phishing attacks among all other anti-phishing approaches.

A Review of Factors Affecting the Effectiveness of Phishing

TLDR
It is discovered that hackers rely on triggering the emotional effects of their victims through their phishing attacks, and the use of artificial intelligence is applied to be able to detect the emotion associated with a phrase or sentence.

Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility

TLDR
Significant differences in phishing susceptibility were obtained for different email contexts and based on whether individuals have been successfully phished before, and a variety of behavioral and psychological factors measured via pre- and post-campaign surveys are examined.

Phishing in Organizations: Findings from a Large-Scale and Long-Term Study

TLDR
It is demonstrated that using the employees as a collective phishing detection mechanism is practical in large organizations and allows fast detection of new phishing campaigns, the operational load for the organization is acceptable, and the employees remain active over long periods of time.

How Good Are We at Detecting a Phishing Attack? Investigating the Evolving Phishing Attack Email and Why It Continues to Successfully Deceive Society

TLDR
This paper explores the current phishing attack characteristics especially the growing challenges that have emerged as a result of the COVID-19 pandemic and finds that people were not confident, worried and often dissatisfied with the current technologies available to protect them against phishing emails.

THE PLACE OF SOCIAL ENGINEERING IN THE PROBLEM OF DATA LEAKS AND ORGANIZATIONAL ASPECTS OF CORPORATE ENVIRONMENT PROTECTION AGAINST FISHING E-MAIL ATTACKS

TLDR
The article discusses the main methods used by attackers to conduct phishing attacks using e-mail, signs that the user has become a victim to social engineers, and provides recommendations how to increase the resilience of the corporate environment to such attacks using organizational methods.

ROLE OF AWARENESS TO PREVENT PERSONAL DISASTERS: REDUCING THE RISKS OF FALLING FOR PHISHING BY STRENGTHENING USER AWARENESS

TLDR
This paper based on recent literature first gives a general overview on social engineering as mean for phishing and then evaluates how awareness as preventive measure is considered effective in the selected literature.

Simulated Phishing Attack and Embedded Training Campaign

TLDR
An in-depth case study on a large phishing awareness campaign is conducted and it is revealed that phishing Awareness is a learning process through which individuals’ behavior can be strengthened by reinforcement and punishment.

References

SHOWING 1-10 OF 173 REFERENCES

Phishing counter measures and their effectiveness - literature review

  • S. Purkait
  • Business, Computer Science
    Inf. Manag. Comput. Secur.
  • 2012
TLDR
The findings reveal that the current anti‐phishing approaches that have seen significant deployments over the internet can be classified into eight categories and the different approaches proposed so far are all preventive in nature.

Confront Phishing Attacks — from a Perspective of Security Education

  • T. TakataKanayo Ogura
  • Computer Science
    2019 IEEE 10th International Conference on Awareness Science and Technology (iCAST)
  • 2019
TLDR
Relationship between human psychological characteristics and vulnerability against social engineering can be used for testing whether a user has vulnerability on some social engineering technique, and the testing result can be utilized for countermeasure or user’s training.

Teaching Johnny not to fall for phish

TLDR
The results suggest that, while automated detection systems should be used as the first line of defense against phishing attacks, user education offers a complementary approach to help people better recognize fraudulent emails and websites.

Social Engineering and Organisational Dependencies in Phishing Attacks

TLDR
This work presents the results of a 56,000-participant phishing attack simulation carried out within a multi-national financial organisation, showing that Social proof was the most effective attack vector, followed by Authority and Scarcity.

Security Awareness Training : A Review

TLDR
This paper reviews users’ training approach as a non-technical solution to mitigate security threats in general and phishing problem in particular and considers knowledge acquisition, knowledge retention, and knowledge transfer aspects.

Baiting the hook: factors impacting susceptibility to phishing attacks

TLDR
Gender and the years of PC usage have a statistically significant impact on the detection rate of phishing; pop-up based attacks have a higher rate of success than the other tested strategies; and, the psychological anchoring effect can be observed in phishing as well.

School of phish: a real-world evaluation of anti-phishing training

TLDR
Results of this study show that users trained with PhishGuru retain knowledge even after 28 days; adding a second training message to reinforce the original training decreases the likelihood of people giving information to phishing websites; and training does not decrease users' willingness to click on links in legitimate messages.

User Context : An Explanatory Variable in Phishing Susceptibility

TLDR
This work presents 4.5 years of workplace-situated, embedded phishing email training exercise data, focusing on the last three phishing exercises with participant feedback, which firmly identifies the alignment of user context and the phishing attack premise as a significant explanatory factor in phishing susceptibility.

Measuring the Effectiveness of Embedded Phishing Exercises

TLDR
A systematic analysis of data from a large real world embedded phishing exercise that involved 19,180 participants from a single organization, and utilized 115,080 test phishing emails is conducted.

An Anti-phishing Training System for Security Awareness and Education Considering Prevention of Information Leakage

TLDR
This paper proposes an anti-phishing training system which does not save sensitive data such as an e-mail address and a name of trainees to public servers, and it is implementable at a low cost.
...