• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish
 

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

on

  • 113 views

Slides from 2007 on the design and evaluation of Anti-Phishing Phil, a game that teaches people how to avoid phishing attacks. ...

Slides from 2007 on the design and evaluation of Anti-Phishing Phil, a game that teaches people how to avoid phishing attacks.

In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.

Authors are Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Cranor, Jason Hong, and Elizabeth Nunge

Statistics

Views

Total Views
113
Views on SlideShare
113
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Good afternoon everyone, I am Steve Sheng from Carnegie Mellon University, I am part of the CUPS lab at CMU. Today, I will be talking about some of the work that we did at CUPS lab in order to find solutions to train users about phishing attacks. The work that I will be presenting today was jointly done with Bryant Maginien, Ponguru Kumaragu, Alessandro Acquisti, Lorrie Cranor, Jason Hong and Elizabeth Nunge.
  • Educating user have some constraints, The first constraint is that security is a secondary task, people are not visiting a website to look at its security features, they go to the website to complete transactions. Another constraint is people like learning by doing, they don’t like to sit down and read training materials. Education is more effective when users learn by doing rather than by learning the classroom instructions.
  • The scene: is sea, we have a small fish called Phil, her job is to eat all the worms.
  • So today, Phil swim by a worm, the worm is identified by a URL. A good worm is a legitimate URL, whereas a bad worm is a bait dropped by the phishers.
  • Phil needs to score 6 / 8 to move on to the next rounds, and the end of the round, phil got a chance to reflect what he missed.
  • In between rounds, we also have short tutorials to teach Phil better strategies to identify phishing. In this example, Phil’s father teaches Phil how to use a search engine.
  • STUDY WAS A THINK ALOUD STUDY that lasts 45 - 60 MINS.. WE CAREFULLY RECRUITED NON-EXPERTS USING THREE SPECIFIC QUESTIONS - THE DEIFNITION OF NON EXPERT IS THE SAME AS IN PREVIOUS STUDY THAT I SAID. It aimed at testing the participants’ ability to identify phishing websites. We presented them 10 websites before training, followed by a 15 minute break where users perform one of the three tasks: they read webased phishing education, they read the game tutorial, or they played the game. Users are randomly assigned in each of the conditions. There are fourteen non-expert participants in each condition, for a total of 42 participants.
  • All of them are statistical significant, there is no statistical difference between them in Either pre test or post test.
  • There are statistically different.
  • To summarize, there are -- No significant difference in false negatives among the three groups - Game group performed best in false positives - Game condition performed best in total correctness Effect between the tutorial and the game conditions not statistically significant. The next question we want to answer, is that is the increase in performance due to learning or raising awareness.
  • http://www.pcworld.com/article/id,137868-c,cybercrime/article.html http://www.news.com/8301-10784_3-9787549-7.html?tag=nefd.only http://www.cbc.ca/technology/story/2007/09/26/phil-phish.html http://www.pcpro.co.uk/news/126386/phishers-caught-hook-line-and-sinker.html http://www.businessweek.com/the_thread/blogspotting/archives/2007/09/play_with_anti-.html

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish Presentation Transcript