Anti-Phishing Phil: The design and evaluation of a game that teaches people not to fall for phish

ACM International Conference Proceeding Series

Volumn 229, Issue , 2007, Pages 88-99

  Sheng, Steve ^a   Magnien, Bryant ^a   Kumaraguru, Ponnurangam ^a   Acquisti, Alessandro ^a   Cranor, Lorrie Faith ^a   Hong, Jason ^a   Nunge, Elizabeth ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Development and testing; Game design; Interactive learning; Learning science; Phishing; Security user education; Usable privacy and security

Indexed keywords

GAME DESIGN; INTERACTIVE LEARNING; LEARNING SCIENCE; PHISHING; SECURITY USER EDUCATION; USABLE PRIVACY AND SECURITY;

GAME THEORY; INTERACTIVE COMPUTER SYSTEMS; ITERATIVE METHODS; LEARNING SYSTEMS; SYSTEMS ANALYSIS; WEBSITES;

SECURITY OF DATA;

EID: 36849073159     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1280680.1280692     Document Type: Conference Paper

References (40)

1. Abdi, H. (2007). Signal detection theory. In: Salkind, NJ. (Ed.), Encyclopedia of Measurement and Statistics. Thousand Oaks (CA), Sage.
2. Anderson, J. R. Rules of the Mind. Lawrence Erlbaum Associates, Inc., 1993.
3. Camtasia Studio. Retrieved Nov 9, 2006. http://www.tec.hsmith.com/ camtasia.asp.
4. Dhamija, R. and J. D. Tygar. 2005. The battle against phishing: Dynamic Security Skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 06 - 08, 2005). SOUPS '05, vol. 93. ACM Press, New York, NY, 77-88. DOI= http://doi.acm.org/10.1145/1073001. 1073009.
5. Dhamija, R., J. D. Tygar. and M. Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581-590. DOI= http://doi.acm.org/10.1145/1124772. 1124861.
6. Donovan, M. S., Bransford, J. D., & Pellegrino, J.W. 1999. How people learn: Bridging research and practice. Washington, D.C.: National Academy Press.
7. Downs, J., M. Holbrook and L. Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79-90. DOI= http://doi.acm.org/10.1145/ 1143120.1143131.
8. eBay. Spoof Email Tutorial. Retrieved March 7, 2006, http://pages.ebay. com/education/spooftutorial/.
9. Evers, J. Security Expert: User education is pointless. Retrieved, Jan 13, 2007, http://news.com.com/2100-7350_3-6125213.html.
10. Federal Trade Commission. An E-Card for You game. Retrieved Nov 7, 2006, http://www.ftc.gov/bcp/con.line/ecards/phishing/index.html.
11. Federal Trade Commission. How Not to Get Hooked by a Phishing Scam. Retrieved Nov 7, 2006, http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127. htm.
12. Ferguson, A. J. 2005. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly. 2005, 1. Retrieved March 22, 2006, http://www.educause.edu/ir/library/pdf/eqm0517.pdf.
13. Gee, J. P. What Video Games Have to Teach Us About Learning and Literacy. Palgrave Macmillan, Hampshire, England, 2003.
14. Gorling, S. 2006. The myth of user education. In Proceedings of the 16th Virus Bulletin International Conference.
15. Herzberg, A., and Gbara, A. 2004. TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Cryptology ePrint Archive, Report 2004/155. http://epr.int.iacr.org/2004/155.
16. Jagatic, T.,N. Johnson, M. Jakobsson and F. Menczer. Social Phishing. To appear in Communications of the ACM. Retrieved March 7, 2006, http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint. pdf.
17. Jakobsson, M., and Myers, S., Eds. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, 2006.
18. James, L. 2005. Phishing Exposed. Syngress, Canada.
19. Johnson, B. R., and Koedinger, K. R. 2002. Comparing instructional strategies for integrating conceptual and procedural knowledge. In Proceedings of the Annual Meeting [of the] North American Chapter of the International Group for the Psychology of Mathematics Education, vol. 1-4, pp. 969-978.
20. Klein, G. Sources of power : How people make decisions? The MIT Press Cambridge, Massachusetts The MIT Press, Cambridge, Massachusetts, London, England, February 1999.
21. Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. 2007. Teaching Johnny not to fall for phish. Tech. rep., Carnegie Mellon University. http://www.cylab.cmu.edu/files/cmucylab07003.pdf.
22. Kumaraguru, P., Y. Rhee, A. Acquisti, L. Cranor, J. Hong and E. Nunge. 2007. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In Proceedings of the 2007 Computer Human Interaction, CHI 2007.
23. Macmillan, N.A., Creelman, C.D. 2005. Detection theory: user's guide (2nd edition).Mahwah (NJ): Erlbaum.
24. Maldonado, H., Lee, J.-E. R., Brave, S., Nass, C., Nakajima, H., Yamada, R., Iwamura, K., and Morishima, Y. 2005. We learn better together: enhancing elearning with emotional characters. In CSCL '05: Proceedings of the 2005 conference on Computer support for collaborative learning, International Society of the Learning Sciences, pp. 408-417.
25. Mayer, R. E. Multimedia Learning. New York Cambridge University Press, 2001.
26. Microsoft. Recognizing phishing scams and fraudulent emails. Retrieved Oct 15, 2006. http://www.microsoft.com/athome/security/email/phishing.mspx.
27. MillerSmiles.co.uk phishing archive. Retrieved April 15, 2006. http://www.millersmiles.co.uk/
28. Moreno, R., Mayer, R. E., Spires, H. A., and Lester, J. C. 2001. The case for social agency in computer-based teaching: Do students learn more deeply when they interact with animated pedagogical agents? Cognition and Instruction 19, 2, 177 - 213.
29. MySecureCyberspace. Uniform Resource Locator (IRL). Retrieved Oct 15, 2006. http://www.mysecurecyberspace.com/encyclopedia/index/uniform-resource- locator-url-.html.
30. New York State Office of Cyber Security & Critical Infrastructure Coordination. Gone Phishing... A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. Aggregate Exercise Results for public release.
31. Quinn, C. N. 2005. Engaging Learning: Designing e-Learning Simulation Games. Pfeiffer.
32. Repenning, A., and Lewis, C. Playing a game: The ecology of designing, building and testing games as educational activities. In ED-Media, World Conference on Educational Multimedia, Hypermedia & Telecommunications (2005), Association for the Advancement of Computing in Education.
33. Schneier, B. 2000. Semantic Attacks: The Third Wave of Network. Attacks. Crypto-Gram Newsletter. Retrieved Sep 2, 2006, http://www.schneier.com/ crypto-gram-0010.html#1.
34. Wu, M. Fighting Phishing at the User Interface. 2006. MIT PhD. thesis. http://groups.csail.mit.edu/uid/projects/phishing/minwuthesis.pdf.
35. Wu, M., Miller R. C. and Little, G. 2006. Web Wallet: Preventing Phishing Attacks By Revealing User Intentions. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79-90. DOI= http://doi.acm.org/10.1145/1143120.1143133.
36. Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 601-610. DOI= http://doi.acm.org/10.1145/1124772.1124863
37. Ye, Z. and S. Smith. 2002. Trusted Paths for Browsers. In Proceedings of the 11th USENIX Security Symposium. pp. 263 - 279. USENIX Association. Berkeley, CA, USA.
38. Yee, K. P. and Sitaker K. 2006. PassPet: Convenient Password Management And Phishing Protection. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79-90. DOI= http://doi.acm.org/10.1145/ 1143120.1143126.
39. Zhang, Y., S. Egelman, L. Cranor, and J. Hong. 2007. Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28 February -2 March, 2007.
40. Zhang, Y., J. Hong., and L. Cranor, and 2007. CANTINA: a Content-Based Approach to Detecting Phishing Websites. In Proceedings of the 16th International World Wide Web Conference (WWW2007), Banff, Alberta, Canada, May 8-12, 2007