Human risk factors in cybersecurity
Experimental assessment of an academic human attack surface
This article presents an experimental analysis of several cybersecurity risks affecting the human attack surface
of Fairmont State University, a mid-size state university. We consider two social engineering experiments: a phishing email
barrage and a targeted spearphishing campaign. In the phishing experiment, a total of 4,769 students, faculty, and staff on campus
were targeted by 90,000 phishing emails. Throughout these experiments, we explored the effectiveness of three types of phishing
awareness training. Our results show that phishing emails that make it through IT’s defenses pose a clear and present threat to
large educational organizations. Moreover, we found that simple, visual, instructional guides are more effective training tools
than long documents or interactive training.
Article outline
- 1.Introduction
- 2.Related work
- 3.Methodology
- 3.1Phishing emails
- 3.1.1Structural overview
- 3.1.2Phishing email design
- 3.1.3Training types
- 3.1.4Data collection
- 3.2Spearphishing
- 3.2.1Survey overview
- 3.2.2Data collection
- 3.3IRB approval process
- 4.Results
- 4.1Response analysis (Research Question 1)
- 4.2Effectiveness of training (Research Question 2)
- 4.3Time of day analysis (Research Question 3)
- 4.4Effectiveness of warning emails (Research Question 4)
- 5.Conclusion
- Acknowledgements
- Note
-
References
References (23)
References
Amos, Z. (2022). Why
do phishing emails have such obvious typos? Security
Boulevard.
Burns, A. J., Johnson, M. E., and Caputo, D. D. (2019). Spear
phishing in a barrel: Insights from a targeted phishing campaign. Journal of Organizational
Computing and Electronic
Commerce, 29(1):24–39.
Competition, A. and Commission,
C. (2018).
Cuchta, T., Blackwood, B., Devine, T. R., Niichel, R. J., Daniels, K. M., Lutjens, C. H., Maibach, S., and Stephenson, R. J. (2019). Human
risk factors in cybersecurity. In Proceedings of the 20th Annual SIG
Conference on Information Technology Education. ACM.
Dhamija, R., Tygar, J. D., and Hearst, M. (2006). Why
phishing works. In Proceedings of the SIGCHI Conference on Human
Factors in Computing Systems, CHI
’06, pages 581–590, New York, NY, USA. ACM.
Downs, J. S., Holbrook, M., and Cranor, L. F. (2007). Behavioral
response to phishing risk. In Proceedings of the Anti-phishing
Working Groups 2Nd Annual eCrime Researchers Summit, eCrime
’07, pages 37–44, New York, NY, USA. ACM.
Downs, J. S., Holbrook, M. B., and Cranor, L. F. (2006). Decision
strategies and susceptibility to phishing. In Proceedings of the
Second Symposium on Usable Privacy and Security, SOUPS
’06, pages 79–90, New York, NY, USA. ACM.
Hanna, K. T. (2021). Definition:
attack surface. WhatIs.com.
Inc,
P. (2019). State of the phish. [URL]
Jones, M. (2015). The
effects of conformity and training in a phishing context: Conforming to the school of
phish. Master’s thesis, The University of Alabama in Huntsville.
Khonji, M., Iraqi, Y., and Jones, A. (2013). Phishing
detection: A literature survey. IEEE Communications Surveys
Tutorials, 15(4):2091–2121.
Matamoros-Macias;, R. B. K. S. N. S. B. and Ipsen,
Y. (2019). Phishing and cybercrime risks in a university student
community. International Journal of Cybersecurity Intelligence &
Cybercrime, 21.
Mathews, L. (2017). Phishing
scams cost american businesses half a billion dollars a
year. Forbes.
Mimecast (2019). Email
security risk assessment: Quarterly report, june
2019. Accessed: 2019-05-30.
Moody, G. D., Galletta, D. F., and Dunn, B. K. (2017). Which
phish get caught? an exploratory study of individuals’ susceptibility to phishing. European
Journal of Information
Systems, 26(6):564–584.
Oliveira, D., Rocha, H., Yang, H., Ellis, D., Dommaraju, S., Muradoglu, M., Weir, D., Soliman, A., Lin, T., and Ebner, N. (2017). Dissecting
spear phishing emails for older vs young adults. In Proceedings of
the 2017 CHI Conference on Human Factors in Computing
Systems. ACM.
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J. (2010). Who
falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of
interventions. In Proceedings of the SIGCHI Conference on Human
Factors in Computing Systems, CHI
’10, pages 373–382, New York, NY, USA. ACM.
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. (2007). Anti-phishing
phil: The design and evaluation of a game that teaches people not to fall for
phish. In Proceedings of the 3rd Symposium on Usable Privacy and
Security, SOUPS
’07, pages 88–99, New York, NY, USA. ACM.
Technologies,
P. (2019). Cybersecurity threatscape q4 2018. [URL]
Williams, E. J., Hinds, J., and Joinson, A. N. (2018). Exploring
susceptibility to phishing in the workplace. International Journal of Human-Computer
Studies, 1201:1–13.
Williams, E. J., Hinds, J., and Joinson, A. N. (2018). Exploring
susceptibility to phishing in the workplace. International Journal of Human-Computer
Studies, 201:1 – 13.
Young-McLear, K., Wyman, G., Benin, J., and Young-McLear, Y. (2016). A
White Hat Approach to Identifying Gaps Between Cybersecurity Education and Training: A Social Engineering Case
Study, pages 229–237.
Zhao, R., John, S., Karas, S., Bussell, C., Roberts, J., Six, D., Gavett, B., and Yue, C. (2017). Design
and evaluation of the highly insidious extreme phishing attacks. Computers &
Security, 701:634–647.
Cited by (1)
Cited by one other publication
Vrhovec, Simon, Blaž Markelj & Yaman Roumani
2024.
We need to aim at the top: Factors associated with cybersecurity awareness of cyber and information security decision-makers.
PLOS ONE 19:10
► pp. e0312266 ff.
This list is based on CrossRef data as of 20 november 2024. Please note that it may not be complete. Sources presented here have been supplied by the respective publishers.
Any errors therein should be reported to them.