Substitution Totale du Sable Naturel par du Sable Concassé ...
C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and...
-
Upload
judith-fisher -
Category
Documents
-
view
214 -
download
0
Transcript of C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and...
![Page 1: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/1.jpg)
CMU Usable Privacy and Security Laboratoryhttp://cups.cs.cmu.edu/
Protecting People from Phishing: The Design and
Evaluation of an Embedded Training Email System
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, E. Nunge
![Page 2: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/2.jpg)
Phishing emailPhishing email
![Page 3: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/3.jpg)
Phishing emailPhishing email
Subject: eBay: Urgent Notification From Billing Department
![Page 4: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/4.jpg)
Phishing emailPhishing email
We regret to inform you that you eBay account could be suspended if you don’t update your account information.
![Page 5: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/5.jpg)
Phishing emailPhishing email
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerid=2&sidteid=0
![Page 6: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/6.jpg)
Phishing websitePhishing website
![Page 7: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/7.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 7
What is phishing?What is phishing?
Phishing is “a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them.”
Financial Services Technology Consortium. Understanding and countering the phishing threat: A financial serviceindustry perspective. 2005.
![Page 8: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/8.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 8
Phishing is growingPhishing is growing 73 million US adults received more than 50
phishing emails a year in 2005
Gartner found approx. 30% users changed online banking behavior because of attacks like phishing in 2006
Gartner predicted $2.8 billion loss in 2006
![Page 9: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/9.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 9
Why phishing is a hard problem?Why phishing is a hard problem? Semantic attacks take advantage of the
way humans interact with computers
Phishing is one type of semantic attack
Phishers make use of the trust that users have on legitimate organizations
![Page 10: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/10.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 10
Counter measures for phishingCounter measures for phishing Silently eliminating the threat
• Regulatory & policy solutions
• Email filtering (SpamAssasin)
Warning users about the threat• Toolbars (SpoofGuard, TrustBar)
Training users not to fall for attacks
![Page 11: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/11.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 11
Why user education is hard?Why user education is hard? Security is a secondary task (Whitten et al.)
Users are not motivated to read privacy policies (Anton et al.)
Reading existing online training materials creates concern among users (Anandpara et al.)
![Page 12: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/12.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 12
Our hypothesesOur hypotheses Security notices are an ineffective medium
for training users
Users make better decision when trained by embedded methodology compared to security notices
![Page 13: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/13.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 13
Design constraintsDesign constraints People don’t proactively read the training
materials on the web
Organizations send “security notices” to train users and people don’t read security notices
People can learn from web-based training materials, if only we could get people to read them! (Kumaraguru, 2006)
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish.
Tech. rep., Cranegie Mellon University, 2007. http://www.cylab.cmu.edu/files/cmucylab07003.pdf.
![Page 14: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/14.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 14
Embedded training Embedded training We know people fall for phishing emails
So make training available through the phishing emails
Training materials are presented when the users actually fall for phishing emails
![Page 15: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/15.jpg)
Embedded training exampleEmbedded training example
Subject: Revision to Your Amazon.com Information
![Page 16: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/16.jpg)
Embedded training exampleEmbedded training example
Subject: Revision to Your Amazon.com Information
Please login and enter your information
http://www.amazon.com/exec/obidos/sign-in.html
![Page 17: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/17.jpg)
Comic strip interventionComic strip intervention
![Page 18: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/18.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 18
Design rationaleDesign rationale What to show in the intervention?
When to show the intervention?
Analyzed instructions from most popular websites
Paper and HTML prototypes, 7 users each
Lessons learned • Two designs
• Present the training materials when users click on the link
![Page 19: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/19.jpg)
Comic strip interventionComic strip intervention
![Page 20: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/20.jpg)
Intervention #1 - Comic strip
![Page 21: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/21.jpg)
Intervention #1 - Comic strip
![Page 22: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/22.jpg)
Intervention #1 - Comic strip
![Page 23: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/23.jpg)
Intervention #2 - Graphics and textIntervention #2 - Graphics and text
![Page 24: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/24.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 24
Study designStudy design
Think aloud study
Role play as Bobby Smith, 19 emails including 2 interventions, and 4 phishing emails
Three conditions: security notices, text / graphics intervention, comic strip intervention
10 non-expert participants in each condition, 30 total
![Page 25: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/25.jpg)
Intervention #1 - Security noticesIntervention #1 - Security notices
![Page 26: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/26.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 26
Intervention #2 - Graphics and textIntervention #2 - Graphics and text
![Page 27: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/27.jpg)
Intervention #3 - Comic stripIntervention #3 - Comic strip
![Page 28: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/28.jpg)
Phish TrainingLegitimate Spam
![Page 29: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/29.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 29
User study - resultsUser study - results We treated clicking on link to be falling for
phishing
93% of the users who clicked went ahead and gave personal information
![Page 30: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/30.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 30
User study - resultsUser study - results
0
10
20
30
40
50
60
70
80
90
100
3: Phish 5:Training
7: Legit 11:Training
13: Legit 14:Phish-N
16:Phish-N
17:Phish
Emails which had a link in them
Pe
rce
nta
ge
of
use
rs w
ho
clic
ked
on
th
e li
nk
Notices Text / Graphics Comic
![Page 31: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/31.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 31
User study - resultsUser study - results Significant difference between security
notices and the comic strip group (p-value < 0.05)
Significant difference between the comic and the text / graphics group (p-value < 0.05)
![Page 32: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/32.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 32
ConclusionConclusion H1: Security notices are an ineffective
medium for training usersSup
porte
d
H2: Users make better decision when trained by embedded methodology compared to security notices Sup
porte
d
![Page 33: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/33.jpg)
Latest comic strip designLatest comic strip design
![Page 34: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/34.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 34
Ongoing workOngoing work Measuring knowledge retention and
knowledge transfer• Knowledge retention is the ability to apply the
knowledge gained from one situation to another same or similar situation after a time period
• Knowledge transfer is the ability to transfer the knowledge gained from one situation to another situation after a time period
Is falling for phishing necessary for training?
![Page 35: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/35.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 35
Coming upComing up WWW 2007
• CANTINA: A Content-Based Approach to Detecting Phishing Web Sites
• Learning to Detect Phishing Emails
Our other research in anti-phishing http://cups.cs.cmu.edu/trust.php
Symposium On Usable Privacy and Security (SOUPS), July 18 - 20, 2007 at Carnegie Mellon University
![Page 36: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/36.jpg)
• CMU Usable Privacy and Security Laboratory • http://www.cs.cmu.edu/~ponguru 36
AcknowledgementsAcknowledgements
Members of Supporting Trust Decision research group
Members of CUPS lab
![Page 37: C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.](https://reader035.fdocuments.in/reader035/viewer/2022062804/5697bf871a28abf838c88643/html5/thumbnails/37.jpg)
CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/