Protecting people from phishing: The design and evaluation of an embedded training email system

Conference on Human Factors in Computing Systems - Proceedings

Volumn , Issue , 2007, Pages 905-914

  Kumaraguru, Ponnurangam ^a   Rhee, Yong ^a   Acquisti, Alessandro ^a   Cranor, Lorrie Faith ^a   Hong, Jason ^a   Nunge, Elizabeth ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Email; Embedded training; Phishing; Situated learning; Usable privacy and security

Indexed keywords

COMPUTER CRIME; ELECTRONIC MAIL; SECURITY OF DATA; WEBSITES;

EMBEDDED TRAINING; SITUATED LEARNING;

EMBEDDED SYSTEMS;

EID: 35348906237     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1240624.1240760     Document Type: Conference Paper

References (40)

1. Anderson, J. R., A. T. Corbett, K. Koedinger and R. Pelletier. 1995. Cognitive tutors: Lessons learned. The Journal of Learning Sciences, 4, pp. 167-207.
2. Anderson, J. R., M. R. Lynne and Herbert A. Simon. 1996. Situated Learning and Education. Educational Researcher. Vo. 25, No.4, pp. 5-11.
3. Anti-Phishing Working Group. Phishing Activity Trends Report. 2006. http://www.antiphishing.org/reports/apwg_report_jan_2006.pdf.
4. Anti-Phishing Working group, http://www.antiphishing.org/. Retrieved on Sept 20, 2006.
5. Betrancourt, M. and A. Bisseret. 1998. Integrating textual and pictorial information via pop-up windows: an experimental study. Behaviour and Information Technology. Volume 17, Number 5, pp. 263-273(11).
6. Clark, R. C. and E. M. Richard. 2002. E-Learning and the science of instruction: proven guidelines for consumers and designers of multimedia learning. Pfeiffer, San Francisco, USA.
7. Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581-590. DOI= http://doi.acm.org/10.1145/1124772. 1124861.
8. Dhamija, R. and Tygar, J. D. 2005. The battle against phishing: Dynamic Security Skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 06-08, 2005). SOUPS '05, vol. 93. ACM Press, New York, NY, 77-88. DOI= http://doi.acm.org/10.1145/1073001.1073009.
9. Drake, C. E., J. J. Oliver and E. J. Koontz. MailFrontier. Anatomy of a Phishing Email. Retrieved Feb 27, 2006, http://www.mailfrontier.com/docs/ MF_Phish_Anatomy.pdf.
10. Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12-14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79-90. DOI= http://doi.acm.org/10.1145/1143120.1143131.
11. eBay. Spoof Email Tutorial. Retrieved December 30, 2006. http://pages.ebay.com/education/spooftutorial/
12. eBay Toolbar. Retrieved December 30, 2006. http://pages.ebay.com/ ebay_toolbar/
13. Erhel, S. and E. Jamet. 2006. Using pop-up windows to improve multimedia learning. Journal of Computer Assisted Learning, Volume 22, Number 2. pp. 137-147.
14. Federal Trade Commission. An E-Card for You game. Retrieved December 30, 2006. http://www.ftc.gov/bcp/conline/ecards/phishing/index.html.
15. Federal Trade Commission. Phishing Alerts. Retrieved December 30, 2006. http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
16. Ferguson, A. J. 2005. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly. http://www.educause.edu/ir/library/pdf/ eqm0517.pdf.
17. Fette, I., N. Sadeh and A. Tomasic. Learning to Detect Phishing Emails. June 2006. ISRI Technical report, CMU-ISRI-06-112. http://reports-archive.adm. cs.cmu.edu/anon/isri2006/CMU-ISRI-06-112.pdf.
18. Jagatic, T.,N. Johnson, M. Jakobsson and F. Menczer. Social Phishing. To appear in the Communications of the ACM. Retrieved March 7, 2006, http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint. pdf.
19. Jakobsson, M. and Ratkiewicz, J. 2006. Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In Proceedings of the 15th international Conference on World Wide Web (Edinburgh, Scotland, May 23-26, 2006). WWW '06. ACM Press, New York, NY, 513-522. DOI= http://doi.acm.org/10.1145/1135777.1135853
20. James, L. 2005. Phishing Exposed. Syngress, Canada.
21. Kumaraguru, P., A. Acquisti and L. Cranor. 2006. Trust modeling for online transactions: A phishing scenario. Proceedings of Privacy Security Trust, Oct 30 - Nov 1, 2006, Ontario, Canada
22. Lininger, R. and R. Dean. 2005. Phishing: Cutting the Identity Theft Line. Wiley, publishing Inc. Indianapolis, Indiana, USA.
23. Mail Frontier. Phishing IQ. http://survey.mailfrontier.com/survey/ quiztest.html.Retrieved Sept 20, 2006
24. Mayer, R.E. Multimedia Learning. 2001. New York Cambridge University Press.
25. Mayer, R.E. and R B. Anderson. 1991 Animations Need Narrations: An Experimental Test of a Dual Coding Hypothesis. Journal of Educational Psychology. Volume 83, Number 4. pp. 484-490.
26. Microsoft. Consumer Awareness Page on Phishing. Retrieved September 10, 2006. http://www.microsoft.com/athome/security/email/phishing.mspx
27. Miller, R. C. and M. Wu. 2005. Fighting Phishing at the User Interface, In Lorrie Cranor and Simson Garfinkel (Eds.) Security and Usability: Designing Secure Systems that People Can Use. O'Reilly.
28. Netcraft. Retrieved September 10, 2006. http://news.netcraft.com/
29. New York State Office of Cyber Security & Critical Infrastructure Coordination. 2005. Gone Phishing... A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. Aggregate Exercise Results for public release.
30. Richmond, R. Hackers set up attacks on home PCs, financial firms: study. Retrieved September 25, 2006. http://www.marketwatch.com/News/Story/Story.aspx? dist=newsfinder&siteid=google&guid=%7B92615073-95B6-452E-A3B9- 569BEACF91E8%7D&keyword=
31. Robila, S. A., J. James and W. Ragucci. 2006. Don't be a phish: steps in user education. ITICSE '06: Proceedings of the 11th annual SIGCSE conference on Innovation and technology in computer science education. pp 237-241. New York, NY, USA.
32. Schmeck, R. R. (Ed) 1988. Learning styles and strategies. New York: Plenum Press.
33. Schneier, B. 2000. Semantic Attacks: The Third Wave of Network Attacks. Crypto-Gram Newsletter. Retrieved Sep 2, 2006, http://www.schneier.com/crypto- gram-0010.html#1.
34. SpamAssasin. Retrieved September 10, 2006. http://spamassassin.apache. org/
35. SpoofGuard. Retrieved September 10, 2006, http://crypto.stanford.edu/ SpoofGuard/
36. SpoofStick. Retrieved September 10, 2006. http://www.spoofstick.com/
37. SquirrelMail. Retrieved September 10, 2006. http://www.squirrelmail.org/
38. Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 601-610. DOI= http://doi.acm.org/10.1145/1124772.1124863.
39. Ye, Z. and Sean S. Trusted Paths for Browsers. 2002. Proceedings of the 11th USENIX Security Symposium. pp. 263-279. USENIX Association. Berkeley, CA, USA.
40. Zhang, Y., S. Egelman, L. Cranor, and J. Hong. 2007. Phinding Phish: Evaluating Anti-Phishing Tools. In. Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28 February -2 March, 2007.