OBJECTIVE: Evaluate the effectiveness of training embedded within security warnings to identify phishing webpages. BACKGROUND: More than 20 million malware and phishing warnings are shown to users of Google Safe Browsing every week. Substantial click-through rate is still evident, and a common issue reported is that users lack understanding of the warnings. Nevertheless, each warning provides an opportunity to train users about phishing and how to avoid phishing attacks. METHOD: To test use of phishing-warning instances as opportunities to train users' phishing webpage detection skills, we conducted an online experiment contrasting the effectiveness of the current Chrome phishing warning with two training-embedded warning interfaces. The experiment consisted of three phases. In Phase 1, participants made login decisions on 10 webpages with the aid of warning. After a distracting task, participants made legitimacy judgments for 10 different login webpages without warnings in Phase 2. To test the long-term effect of the training, participants were invited back a week later to participate in Phase 3, which was conducted similarly as Phase 2. RESULTS: Participants differentiated legitimate and fraudulent webpages better than chance. Performance was similar for all interfaces in Phase 1 for which the warning aid was present. However, training-embedded interfaces provided better protection than the Chrome phishing warning on both subsequent phases. CONCLUSION: Embedded training is a complementary strategy to compensate for lack of phishing webpage detection skill when phishing warning is absent. APPLICATION: Potential applications include development of training-embedded warnings to enable security training at scale.
OBJECTIVE: Evaluate the effectiveness of training embedded within security warnings to identify phishing webpages. BACKGROUND: More than 20 million malware and phishing warnings are shown to users of Google Safe Browsing every week. Substantial click-through rate is still evident, and a common issue reported is that users lack understanding of the warnings. Nevertheless, each warning provides an opportunity to train users about phishing and how to avoid phishing attacks. METHOD: To test use of phishing-warning instances as opportunities to train users' phishing webpage detection skills, we conducted an online experiment contrasting the effectiveness of the current Chrome phishing warning with two training-embedded warning interfaces. The experiment consisted of three phases. In Phase 1, participants made login decisions on 10 webpages with the aid of warning. After a distracting task, participants made legitimacy judgments for 10 different login webpages without warnings in Phase 2. To test the long-term effect of the training, participants were invited back a week later to participate in Phase 3, which was conducted similarly as Phase 2. RESULTS:Participants differentiated legitimate and fraudulent webpages better than chance. Performance was similar for all interfaces in Phase 1 for which the warning aid was present. However, training-embedded interfaces provided better protection than the Chrome phishing warning on both subsequent phases. CONCLUSION: Embedded training is a complementary strategy to compensate for lack of phishing webpage detection skill when phishing warning is absent. APPLICATION: Potential applications include development of training-embedded warnings to enable security training at scale.
Entities:
Keywords:
action on cybersecurity; cybersecurity; phishing; procedural knowledge; training
Authors: Aurélien Baillon; Jeroen de Bruin; Aysil Emirmahmutoglu; Evelien van de Veer; Bram van Dijk Journal: PLoS One Date: 2019-12-18 Impact factor: 3.240