Wednesday, April 8, 2009

Good SciAm article on Phishing

On a recent flight I had an opportunity to catch up on my reading and found a Scientific American article on How to Foil "Phishing" Scams to be a good read. For those of you not familiar with the term phishing, it has nothing to do with the band Phish, but instead refers to the malicious practice of sending email in order to trick people into revealing personal information, usually by directing them to a website masquerading as their bank.

I thought the following point in the article was particularly interesting. Basically people are more likely to learn from educational material about phishing once they have fallen for a phishing scam.
With some of these insights in mind, members of my team, Ponnurangam Kumaraguru, Alessandro Acquisti and others, developed a training system called PhishGuru, which delivers antiphishing information after users have fallen for simulated phishing messages. The program incorporates a set of succinct and actionable messages about phishing into short cartoons, wherein a character named PhishGuru teaches would-be victims how to protect themselves. In a series of studies, we demonstrated that when people read the cartoons after falling for the simulated phishing e-mails that we sent to them, they were much less likely to fall for subsequent attacks. Even a week later our test subjects retained what they had learned. In contrast, those who read the PhishGuru cartoons sent to them by e-mail, without experiencing a simulated attack, were very likely to fall for subsequent attacks.
The article then goes on to describe attempts to create training that simulates being phished, hopefully kicking in the increased chance of learning without the consequences of falling for a phishing scheme first.

I think this pattern is typical across security education - until someone has been harmed by a security failure, they don't see the motivation to try and improve things, by learning or other means. Perhaps the idea of incorporating simulation into security training to kick in this response might have good application across other aspects of security as well?

No comments:

Post a Comment