Online security attacks are a growing concern among Internet users. Currently, the Internet community is facing three types of security attacks: physical, syntactic, and semantic. Semantic attacks take advantage of the way humans interact with computers or interpret messages. There are three major approaches to countering semantic attacks: silently eliminating the attacks, warning users about the attacks, and training users not to fall for the attacks. The existing methods for silently eliminating the attack and warning users about the attack are unlikely to perform flawlessly and as users are the weakest link in these attacks, it is essential that user training complement other methods.
The goal of my thesis is to show that computer users trained with an embedded training system, one grounded in the principles of learning science are able to make more accurate online trust decisions than users who read traditional security training materials, which are distributed via email or posted online. To achieve this goal, I focus on “phishing,” a type of semantic attack. I have developed a system called “PhishGuru” based on embedded training methodology and learning science principles. Embedded training is a methodology in which training materials are integrated into the primary tasks users perform in their day-to-day lives. In contrast to existing training methodologies, the PhishGuru shows training materials to users through emails at the moment (“teachable moment”) users actually fall for phishing attacks.
I evaluated the embedded training methodology through laboratory and field studies. Real-world experiments showed that people trained with PhishGuru retain knowledge even after 28 days. PhishGuru training does not decrease users’ willingness to click on links in legitimate messages. The design principles established in this thesis will help researchers to develop systems that can train users in other risky online situations.
PhishGuru is also being used in a real-world implementation of the Anti-Phishing Working Group Landing Page initiative. PhishGuru is currently being commercialized by Wombat Security Technologies.