Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PhishGuru: A System for Educating Users about Semantic Attacks

99 views

Published on

Online security attacks are a growing concern among Internet users. Currently, the Internet community is facing three types of security attacks: physical, syntactic, and semantic. Semantic attacks take advantage of the way humans interact with computers or interpret messages. There are three major approaches to countering semantic attacks: silently eliminating the attacks, warning users about the attacks, and training users not to fall for the attacks. The existing methods for silently eliminating the attack and warning users about the attack are unlikely to perform flawlessly and as users are the weakest link in these attacks, it is essential that user training complement other methods.

The goal of my thesis is to show that computer users trained with an embedded training system, one grounded in the principles of learning science are able to make more accurate online trust decisions than users who read traditional security training materials, which are distributed via email or posted online. To achieve this goal, I focus on “phishing,” a type of semantic attack. I have developed a system called “PhishGuru” based on embedded training methodology and learning science principles. Embedded training is a methodology in which training materials are integrated into the primary tasks users perform in their day-to-day lives. In contrast to existing training methodologies, the PhishGuru shows training materials to users through emails at the moment (“teachable moment”) users actually fall for phishing attacks.

I evaluated the embedded training methodology through laboratory and field studies. Real-world experiments showed that people trained with PhishGuru retain knowledge even after 28 days. PhishGuru training does not decrease users’ willingness to click on links in legitimate messages. The design principles established in this thesis will help researchers to develop systems that can train users in other risky online situations.

PhishGuru is also being used in a real-world implementation of the Anti-Phishing Working Group Landing Page initiative. PhishGuru is currently being commercialized by Wombat Security Technologies.

Published in: Engineering
  • Be the first to comment

PhishGuru: A System for Educating Users about Semantic Attacks

  1. 1. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



1
 CyLab Usable Privacy and Security Laboratory h"p://cups.cs.cmu.edu/
 PhishGuru:
A
System
for
Educa:ng
 Users
about
Seman:c
A"acks

 Commi"ee
Members:
 Lorrie
Cranor
(Chair)

 Jason
Hong
 Vincent
Aleven

 Rahul
Tongia

 Alessandro
Acquis:

 Ponnurangam Kumaraguru Computation, Organizations and Society School of Computer Science
  2. 2. eBay:
Urgent
No:fica:on
From
Billing
Department

  3. 3. We
regret
to
inform
you
that
your
eBay
account
could
be

 suspended
if
you
don’t
re‐update
your
account
informa:on.

  4. 4. h"ps://signin.ebay.com/ws/eBayISAPI.dll? SignIn&sid=verify&co_partnerid=2&sidteid=0

  5. 5. h"p://www.kusi.org/hcr/eBay/ws23/eBayISAPI.htm

  6. 6. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



7
 Phishing
works

  73
million
US
adults
received
more
than
50
 phishing
emails
each
in
the
year
2005
  Gartner
es:mated
3.6
million
adults
lost
$3.2
 billion
in
phishing
a"acks
in
2007

  Financial
ins:tu:ons
and
military
are
also
 vic:ms
  Corporate
espionage


  7. 7. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



8
 Why
phishing
works
  Phishers
take
advantage
of
Internet
users’
 trust
in
legi:mate
organiza:ons
  Lack
of
computer
and
security
knowledge
 [Dhamija
et
al.]
  People
don’t
use
good
strategies
to
protect
 themselves
[Downs
et
al.]

  8. 8. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



9
 An:‐phishing
strategies

  Silently
eliminate
the
threat
 – Find
and
take
down
phishing
web
sites
 – Detect
and
delete
phishing
emails
  Warn
users
about
the
threat
 – An:‐phishing
toolbars
and
web
browser
features
  Train
users
not
to
fall
for
a"acks

  9. 9. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



10
 Thesis
statement
 
 Computer
users
trained
using
an
embedded
 training
system
grounded
in
learning
science
 are
able
to
make
more
accurate
online
trust
 decisions
than
those
who
read
tradi:onal
 security
training
materials
distributed
via
 email
or
posted
on
web
sites

  10. 10. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



11
 How
do
we
get
people
trained?
   Problem
 – Exis:ng
materials
good,
but
could
be
be"er
 – Most
people
don’t
proac:vely
look
for
security
training
 materials
 – “Security
no:ce”
emails
sent
to
employees
and/or
 customers
tend
to
be
ignored
 •  Too
much
to
read
 •  People
don’t
consider
them
relevant
   Solu:on
 – Find
a
“teachable
moment”:
PhishGuru
 – Make
training
fun:
An:‐Phishing
Phil
 – Use
learning
science
principles

  11. 11. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



12

  12. 12. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



14
 My
contribu:ons
  Real
world
impact
 – APWG
landing
page
viewed
500
:mes
a
day
 – An:‐Phishing
Phil,
played
over
100,000
:mes
  Theore:cal
 – Users
can
be
trained
to
make
be"er
online
trust
 decisions
if
training
materials
are
 • embedded
(during
their
regular
use
of
emails)


 • fun
and
interac:ve
manner

  13. 13. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



15
 My
contribu:ons
  Ar:facts

 – Design
and
evalua:on
 • PhishGuru
interven:ons
 • An:‐Phishing
Phil
game

  Experimental
 – A
user
study
design
and
methodology
that
can
be
 used
to
test
an:‐phishing
training
solu:ons

 • Laboratory

 • Real‐world


  14. 14. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



16
 Outline
  Design
and
evalua:on
of
PhishGuru
 interven:ons

  Evalua:on
of
PhishGuru
system
 – Laboratory

 – Real‐world

  An:‐Phishing
Working
Group
landing
page

  An:‐Phishing
Phil

  Remarks


  15. 15. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



17
 Approaches
for
training
  Pos:ng
ar:cles

 – FTC,
Microsol,
…

  Phishing
IQ
test

 – Mail
Fron:er,
…
  Class
room
training

 – Robila
et
al.

  Security
no:ce

  16. 16. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



18
 User
educa:on
is
challenging
  For
most
users,
security
is
a
secondary
task
 [Whi"en
et
al.]
  Users
are
not
mo:vated
to
learn
about
 security
and
privacy
[Anton
et
al.]

  It
is
difficult
to
teach
people
to
make
the
right
 online
trust
decision
without
increasing
their
 false
posi:ve
errors
[Anandpara
et
al.]

  17. 17. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



19
 Is
user
educa:on
possible?
   Security
educa:on
“puts
the
burden
on
the
wrong
 shoulder.”

 [Nielsen,
J.
2004.
User
educaIon
is
not
the
answer
to
security
problems.
h"p:// www.useit.com/alertbox/20041025.html.]
   “Security
user
educa:on
is
a
myth.”

 [Gorling,
S.
2006.
The
myth
of
user
educaIon.
In
Proceedings
of
the
16th
Virus
Bulle:n
 Interna:onal
Conference.]
   “User
educa:on
is
a
complete
waste
of
:me.

 It
is
about
as
much
use
as
nailing
jelly
to
a
wall….
They
 are
not
interested…they
just
want
to
do

 their
job.”

 [Mar:n
Overton,
a
U.K.‐based
security
specialist
at
IBM,
quoted
in
h"p:// news.cnet.com/2100‐7350_3‐6125213‐2.html]

  18. 18. 21

  19. 19. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



22
 Web
site
training
study
   Laboratory
study
of
28
non‐expert
computer
users
   Control
group:
evaluate
10
sites,
15
minute
break
to
read
 email
or
play
solitaire,
evaluate
10
more
sites
   Experimental
group:
evaluate
10
sites,
15
minutes
to
read
 web‐based
training
materials,
evaluate
10
more
sites
   Experimental
group
performed
significantly
be"er
iden:fying
 phish
aler
training
 –  But
they
had
more
false
posi:ves
   People
can
learn
from
web‐based
training
materials,
if
only
 we
could
get
them
to
read
them!
 P.
Kumaraguru,
S.
Sheng,
A.
Acquis:,
L.
Cranor,
and
J.
Hong.
Teaching
Johnny
Not
 to
Fall
for
Phish.
CyLab
Technical
Report
CMU‐CyLab‐07003,
2007.

  20. 20. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



23
 PhishGuru

  21. 21. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



24
 PhishGuru
Embedded
Training
  Can
we
“train”
people
during
their
normal
use
of

 email
to
avoid
phishing
a"acks?

 – Periodically,
people
receive
a
training
email
 – Training
email
looks
like
a
phishing
a"ack
 – If
a
person
falls
for
it,
interven:on
warns
and
 highlights
what
cues
to
look
for
in
succinct
and
 engaging
format
  Mo:va:ng
users
–
“teachable
moment”

  Applies
learning
science
principles
for
designing
 training
interven:ons

  22. 22. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



25
 Subject:
Revision
to
Your
Amazon.com
Informa:on

  23. 23. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



26
 Subject:
Revision
to
Your
Amazon.com
Informa:on
 Please
login
and
enter
your
informa:on
 h"p://www.amazon.com/exec/obidos/sign‐in.html

  24. 24. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



28
 Design
ra:onale

  Paper
and
HTML
prototypes
  One
page
constraint
  Analyzed
instruc:ons
from
most
popular
 websites
  Present
the
training
materials
when
users
click
 on
the
link

  25. 25. Applies
learning‐by‐doing
 and
immediate
feedback
 principles

  26. 26. Applies
story‐based
agent
 principle

  27. 27. Applies
con:guity
principle
 Presents
procedural
knowledge

  28. 28. Applies
personaliza:on
principle
 Presents
conceptual
knowledge

  29. 29. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



34
 Itera:ons

  30. 30. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



35
 First
interven:on

  31. 31. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



36
 Interven:on:
eBay

  32. 32. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



42
 Focus
group
studies
  One
with
age
group
18
–
55
and
another
with
 age
group
greater
than
65
  All
age
groups
will
read
the
interven:ons

  Everybody
liked
the
gold
fish
and
the
comic
 script
format
  Par:cipants
did
not
like
the
phisher
character


  33. 33. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



45
 Outline
  Design
and
evalua:on
of
PhishGuru
 interven:ons

  Evalua:on
of
PhishGuru
system
 – Laboratory

 – Real‐world

  An:‐Phishing
Working
Group
landing
page

  An:‐Phishing
Phil

  Remarks


  34. 34. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



46
 First
lab
study
results
  Security
no:ces
are
 an
ineffec:ve
 medium
for
training
 users

  Users
educated
with
 embedded
training
 make
be"er
 decisions
than
those
 sent
security
no:ces
 Kumaraguru,
P.,
Rhee,
Y.,
Acquis:,
A.,
Cranor,
L.
F.,
Hong,
J.,
and
Nunge,
E.
Protec:ng
people
from
 phishing:
the
design
and
evalua:on
of
an
embedded
training
email
system.
CHI
’07,
pp.
905‐914.

  35. 35. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



47
 Second
lab
study
results
  Users
educated
with
PhishGuru
retained
 knowledge
aler
seven
days

  Users
trained
with
embedded
did
be"er
than
 users
trained
with
non‐embedded

 Kumaraguru,
P.,
Rhee,
Y.,
Sheng,
S.,
Hasan,
S.,
Acquis:,
A.,
Cranor,
L.
F.,
and
Hong,
J.
Gexng
users
 to
pay
a"en:on
to
an:‐phishing
educa:on:
Evalua:on
of
reten:on
and
transfer.
e‐Crime
 Researchers
Summit,
An:‐Phishing
Working
Group
(2007).
  36. 36. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



48
 Real
world
study:
Portuguese
ISP
  PhishGuru
is
effec:ve
in
training
people
in
the
 real
world

  Trained
par:cipants
retained
knowledge
aler
 7
days
of
training
 Kumaraguru,
P.,
Sheng,
S.,
Acquis:,
A.,
Cranor,
L.
F.,
and
Hong,
J.
Lessons
from
a
real
world
 evalua:on
of
an:‐phishing
training.
e‐Crime
Researchers
Summit,
2008

  37. 37. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



49
 Real
world
study:
CMU
   Evaluate
effec:veness
of
PhishGuru
training
in
 the
real
world
   Inves:gate
reten:on
aler
1
week,
2
weeks,
and
4
 weeks

   Compare
effec:veness
of
2
training
messages
 with
effec:veness
of
1
training
message
 P.
Kumaraguru,
J.
Cranshaw,
A.
Acquis:,
L.
Cranor,
J.
Hong,
M.
A.
Blair,
and
T.
 Pham.
School
of
Phish:
A
Real‐World
Evalua:on
of
An:‐Phishing
Training.
 2009.
Under
review.

  38. 38. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



50
 Study
design
   Sent
email
to
all
CMU
students,
faculty
and
staff
to
 recruit
par:cipants
to
opt‐in
to
study
   515
par:cipants
in
three
condi:ons

 – Control

 – One
training
message

 – Two
training
messages

   Emails
sent
over
28
day
period
 – 7
simulated
spear‐phishing
messages
 – 3
legi:mate
messages
from
ISO
(cyber
security
scavenger
 hunt)
   Exit
survey

  39. 39. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



51
 Implementa:on

  Unique
hash
in
the
URL
for
each
par:cipant
  Demographic
and
department/status
data
 linked
to
each
hash

  Form
does
not
POST
login
details
  Campus
help
desks
and
all
spoofed
 departments
were
no:fied
before
messages
 were
sent

  40. 40. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



52
 Study
schedule
 Day
of
the
 study
 Control

 One
training
 message

 Two
training

 messages

 Day
0

 Test
and
real

 Train
and
real

 Train
and
real

 Day
2

 Test

 Day
7

 Test
and
real

 Day
14

 Test

 Test

 Train

 Day
16

 Test
 Day
21
 Test

 Day
28

 Test
and
real

 Day
35

 Post‐study
survey


  41. 41. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



53
 Simulated
spear
phishing
message
 URL
is
not
hidden
 Plain
text
email
 without
graphics

  42. 42. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



54
 Simulated
phishing
website
 h"p://andrewwebmail.org/password/change.htm?ID=9009

  43. 43. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



55
 Simulated
phishing
website
 h"p://andrewwebmail.org/password/thankyou.html?ID=9009

  44. 44. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



56
 PhishGuru
interven:on

  45. 45. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



57
 Effect
of
PhishGuru
 CondiIon
 N
 %
who
 clicked
on
 Day
0

 %
who
 clicked
on
 Day
28

 Control

 172
 52.3
 44.2
 Trained
 343
 48.4
 24.5

  46. 46. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



58
 Results
condi:oned
on
par:cipants
 who
clicked
on
day
0
Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Day 2 Day 7 Day 14 Day 16 Day 21 Day 28 100 90 80 70 60 50 40 30 20 10 0 Percentage Only Clicked Clicked & Gave Control (N = 90) One-train (N = 89) Two-train (N = 77) Trained
 par:cipants
 less
likely
to
 fall
for
phish

  47. 47. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



59
 Results
condi:oned
on
par:cipants
 who
clicked
on
day
0
Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Day 2 Day 7 Day 14 Day 16 Day 21 Day 28 100 90 80 70 60 50 40 30 20 10 0 Percentage Only Clicked Clicked & Gave Control (N = 90) One-train (N = 89) Two-train (N = 77) Trained
 par:cipants
 less
likely
to
 fall
for
phish
 Trained
 par:cipants
 remember
 what
they
 learned
28
 days
later

  48. 48. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



60
 Results
condi:oned
on
par:cipants
 who
clicked
on
day
0
and
day
14
Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Day 16 Only Clicked Clicked & Gave Control (N = 54) One-train (N = 35) Two-train (N = 34) Day 21 Day 28 100 90 80 70 60 50 40 30 20 10 0 Percentage Two‐train
par:cipants
less
likely
 than
one‐train
par:cipants
to
 click
on
days
16
and
21

  49. 49. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



61
 Results
condi:oned
on
par:cipants
 who
clicked
on
day
0
and
day
14
Control Onetrain Twotrain Control Onetrain Twotrain Control Onetrain Twotrain Day 16 Only Clicked Clicked & Gave Control (N = 54) One-train (N = 35) Two-train (N = 34) Day 21 Day 28 100 90 80 70 60 50 40 30 20 10 0 Percentage Two‐train
par:cipants
less
likely
 than
one‐train
par:cipants
to
 click
on
days
16
and
21
 Two‐train
par:cipants
less
likely
 than
one‐train
par:cipants
to
 provide
informa:on
on
day
28

  50. 50. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



62
 Legi:mate
emails
 CondiIon
 N
 Day
0

 Day
7

 Day
28

 Clicked
%

 Clicked
%

 Clicked
%

 Control

 90
 50.0
 41.1
 38.9
 One‐train
 89
 39.3
 42.7
 32.3
 Two‐train
 77
 48.1
 44.2
 35.1
 No
difference
between
the
three
 condi:ons
on
day
0,
7,
and
28


  51. 51. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



63
 Legi:mate
emails
 No
difference
between
the
three
 condi:ons
on
day
0,
7,
and
28

 No
difference
within
the
three
 condi:ons
for
the
three
emails
 CondiIon
 N
 Day
0

 Day
7

 Day
28

 Clicked
%

 Clicked
%

 Clicked
%

 Control

 90
 50.0
 41.1
 38.9
 One‐train
 89
 39.3
 42.7
 32.3
 Two‐train
 77
 48.1
 44.2
 35.1

  52. 52. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



64
 Most
par:cipants
liked
training,
 wanted
more
   280
complete
post
study
responses

   80%
recommended
that
CMU
con:nue
 PhishGuru
training
 – “I
really
liked
the
idea
of
sending
CMU
students
fake
 phishing
emails
and
then
saying
to
them,
essen:ally,
 HEY!
You
could've
just
go"en
scammed!
You
should
 be
more
careful
‐
here's
how....”
 – “I
think
the
idea
of
using
something
fun,
like
a
 cartoon,
to
teach
people
about
a
serious
subject
is
 awesome!”

  53. 53. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



65
 Summary
from
this
study
  People
trained
with
PhishGuru
were
less
likely
 to
click
on
phishing
links
than
those
not
 trained
  People
retained
their
training
for
28
days
  Two
training
messages
are
be"er
than
one
  PhishGuru
training
does
not
make
people
less
 likely
to
click
on
legi:mate
links

  54. 54. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



66
 Summary
of
studies
 Studies
 Results

 Lab
study
I

 • 
Security
no:ces
are
ineffec:ve

 • 
Users
educated
with
PhishGuru
made
be"er
decisions
 Lab
study
II
 • 
Users
in
embedded
condi:on
retain
and
transfer
knowledge
 more
effec:vely
than
other
condi:ons
even
aler
7
days
 Real‐world
 study
I

 • 
PhishGuru
is
effec:ve
in
training
people
in
the
real
world

 • 
Trained
par:cipants
retained
knowledge
aler
7
days
of
training
 Real‐world
 study
II
 • 
People
trained
with
PhishGuru
were
less
likely
to
click
on
 phishing
links
than
those
not
trained

 • 
People
retained
their
training
for
28
days

 • 
Two
training
messages
are
be"er
than
one
 • 
PhishGuru
training
does
not
make
people
less
likely
to
click
on
 legi:mate
links

  55. 55. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



67
 Outline
  Design
and
evalua:on
of
PhishGuru
 interven:ons

  Evalua:on
of
PhishGuru
system
 – Laboratory

 – Real‐world

  An:‐Phishing
Working
Group
landing
page

  An:‐Phishing
Phil

  Remarks

  56. 56. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



68
 Current
situa:on
 Phishing
sites
 iden:fied
 Phishing
sites
 taken
down
 Consumers
click
 on
links

  57. 57. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



69
 APWG
landing
page
 Phishing
sites
 iden:fied
 Phishing
sites
 taken
down
 Consumers
click
 on
links

  58. 58. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



70
 Implementa:on
and
results
  h"p://educa:on.apwg.org
  Collect
and
analyze
log
files
  Add
the
phishing
URL
in
the
HTTP
request


  Being
translated
into
15
languages

  56,699
teachable
moments
  Phishing
emails

 – are
s:ll
tradi:onal
 – have
lot
of
formaxng
and
gramma:cal
errors


  59. 59. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



71
 Outline
  Design
and
evalua:on
of
PhishGuru
 interven:ons

  Evalua:on
of
PhishGuru
system
 – Laboratory

 – Real‐world

  An:‐Phishing
Working
Group
landing
page

  An:‐Phishing
Phil

  Remarks

  60. 60. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



72
 An:‐Phishing
Phil
   Online
game
   h"p://wombatsecurity.com/an:phishingphil
   Teaches
people
how
to
protect
themselves
from
 phishing
a"acks
 – iden:fy
phishing
URLs
 – use
web
browser
cues
 – find
legi:mate
sites
with
search
engines
 S.
Sheng,
B.
Magnien,
P.
Kumaraguru,
A.
Acquis:,
L.
Cranor,
J.
Hong,
and
E.
Nunge.
 An:‐Phishing
Phil:
The
Design
and
Evalua:on
of
a
Game
That
Teaches
People
Not
 to
Fall
for
Phish.
In
Proceedings
of
the
2007
Symposium
On
Usable
Privacy
and
 Security,
Pi"sburgh,
PA,
July
18‐20,
2007.

  61. 61. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



73

  62. 62. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



74
 Outline
  Design
and
evalua:on
of
PhishGuru
 interven:ons

  Evalua:on
of
PhishGuru
system
 – Laboratory

 – Real‐world

  An:‐Phishing
Working
Group
landing
page

  An:‐Phishing
Phil

  Remarks

  63. 63. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



76
 Security
user
educa:on
is
possible

  Conven:onal
wisdom:
end‐user
security
 educa:on
does
not
work
  My
work
shows:
you
can
teach
Johnny
not
to
 fall
for
phish
  Aim
to
reduce
computer
security
threats
 through
technology
and
enforcement
  Complement
these
efforts
































 with
user
educa:on

  64. 64. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



77
 Design
principles

   Integrate
security
educa:on
into
users’
primary
 tasks
   Apply
instruc:onal
design
principles
to
 interven:ons
 – Comic
strip
format
 – Fun
and
interac:ve
 – Story
format
   Format
instruc:ons
as
a
list
of
ac:onable
items
   Make
training
repe::ve
   Keep
training
messages
short
and
simple

  65. 65. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



78
 My
research
contribu:ons
  Privacy
and
security

 – Users
can
be
educated
 – Methodology
for
solving
phishing
  Learning
science

 – Applying
to
privacy
&
security

 – Development
of
embedded
training

  Human
computer
interac:on

 – Designing
instruc:onal
materials
 – Understanding
users’
strategies

  66. 66. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



79
 Research
to
reality
  PhishGuru
commercialized
  Co‐founded
by
faculty
at
CMU
 – Dr.
Lorrie
Cranor

 – Dr.
Jason
Hong

 – Dr.
Norman
Sadeh


  67. 67. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



80
 Future
work
  Applying
embedded
training
in
other
 scenarios
  Tes:ng
other
mediums
of
training
  Studying
longer
reten:on
and
the
effect
of
 more
training

  68. 68. CyLab
Usable
Privacy
and
Security
Laboratory




h7p://www.cs.cmu.edu/~ponguru



81
 Acknowledgements

  Members
of
Suppor:ng
Trust
Decisions
 research
group

  Members
of
CyLab
Usable
Privacy
and
Security
 laboratory

  Members
of
COS
Ph.D.
program,
ISO,
APWG

  Supported
by
NSF,
ARO,
CyLab,
ISP
in
Portugal


 Hajin YongShellyJerry
  69. 69. http://phishguru.org/ CyLab Usable Privacy and Security Laboratory http://www.cs.cmu.edu/~ponguru/ Learn how to protect yourself from phishing attacks.

×