Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

•Download as PPT, PDF•

0 likes•280 views

Slides from 2007 on the design and evaluation of Anti-Phishing Phil, a game that teaches people how to avoid phishing attacks. In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks. Authors are Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Cranor, Jason Hong, and Elizabeth Nunge

Technology News & Politics

CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/
Anti-Phishing Phil
The Design and Evaluation of a
Game That Teaches People Not to
Fall for Phish
S. Sheng, B. Maginien, P. Kumaraguru,
A. Acquisti, L. Cranor, J. Hong, E. Nunge

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
 Online game
• http://cups.cs.cmu.edu/antiphishing_phil/
 Teaches people how to protect
themselves from phishing attacks
• Identify phishing URLs
• Use web browser cues
• Find legitimate sites with search engines
Anti-Phishing Phil

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Why a game?
 Security is a secondary task
 Learning by doing
 Fun and engaging
 Better strategies

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
More about the game
 Four rounds
• Increasing difficulty
• Two minutes in each round
 Eight URL “worms” in each round
• Four phishing and four legitimate URLs
• Users must correctly identify 6 out of 8 URLs to
advance

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
User Study
 Test participants’ ability to identify phishing web
sites before and after training
• 10 URLs before training, 10 after, randomized
• Up to 15 minutes of training
 Training conditions:
• Web-based phishing education
• Tutorial
• Game
 14 participants in each condition
• Screened out security experts
• Younger, college students

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Falling for Phishing
0.43
0.34
0.12
0.19 0.17
0.38
0
0.1
0.2
0.3
0.4
0.5
Existing training
materials
Tutorial Game
FalseNegativeRate
Pre test
Post test

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Misidentifying Legitimate Sites
0.30
0.27
0.30
0.41
0.21
0.14
0
0.1
0.2
0.3
0.4
0.5
Existing training
material
Tutorial Game
FalsePositiveRate
Pre test
Post test

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Results
 Game group had the best performance
overall
 Game group had fewest false positives
 No significant difference in false negatives
among the three groups

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Field Study

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Study Set-up
 Test participants’ ability to identify phishing web
sites after training and the ability to retain the
knowledge
• 6 URL quiz
 before training, after training, one week later
 Conditions:
• Control
• Game
 Completed training
• 423 in training group
• 292 in control group

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Preliminary Results
31%
60%
92%
75%
81%
93%
0%
20%
40%
60%
80%
100%
Novice Intermediate Expert
Pretest
Post test

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Comments

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Press

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Deployment
 We’ve released Phil under a Creative Commons
non-commercial license
 Over the past few weeks we’ve been contacted
by several banks, retailers, other companies, and
government agencies who are interested in using
Phil in their employee training programs
• Can’t get employees to read security memos, but think
they will be willing to play a game and learn something
 We’re working on setting up a commercial
licensing program, customized versions

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Portuguese Version

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Future Plans
 Analyze field study results to understand
how game can be further improved
 Continue to update game and use data
from public usage to evaluate and improve
 Consider adding new modules to teach
different skills or reinforce skills through
alternate approaches
 Consider special versions for kids, elderly,
specific brands, etc.

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
Acknowledgements
 Members of Supporting Trust Decision
research group
 Members of CUPS Lab

CMU Usable Privacy and Security
Laboratory
http://cups.cs.cmu.edu/
Play Anti-Phishing Phil:
http://cups.cs.cmu.edu/antiphishing_phil/

The amount of data in our world today is substantially outsized. Many of the personal and non-personal aspects of our day-to-day activities are aggregated and stored as data by both businesses and governments. The increasing data captured through multimedia, social media, and the Internet are a phenomenon that needs to be properly examined. In this article, we explore this topic and analyse the term data ownership. We aim to raise awareness and trigger a debate for policy makers with regard to data ownership and the need to improve existing data protection, privacy laws, and legislation at both national and international levels.

Reusable Learning Objects: Designing and Archiving

Ishan Abeywardena, Ph.D.

Moo cs for professional development tcea feb 2015

Kay Abernathy, Ed.D.

UTS Library future service model (with notes)

Mal Booth

Operating system framed in case of mistaken identity

Cristian Bravo-Lillo

Presented at CCS'12 at Raleigh, NC, US. When asking users to enter credentials, today's desktop operating systems often use windows that provide scant evidence that a trusted path has been established; evidence that would allow a user to know that a request is genuine and that the password will not be read by untrusted principals. We measure the efficacy of web-based attacks that spoof these operating system credential-entry windows to steal users' device-login passwords. We recruited 504 users of Amazon's Mechanical Turk to evaluate a series of games on third-party websites. The third such website indicated that it needed to install software from the publisher that provided the participants' operating system: Microsoft's Silverlight for Windows Vista/7 users and Apple's QuickTime for Mac OS users. The website then displayed a spoofed replica of a window the participant's client operating system would use to request a user's device credentials. In our most effective attacks, over 20% of participants entered passwords that they later admitted were the genuine credentials used to login to their devices. Even among those who declined to enter their credentials, many participants were oblivious to the spoofing attack. Participants were more likely to confirm that they were worried about the consequences of installing software from a legitimate source than to report that they thought the credential-entry window might have appeared as a result of an attempt to steal their password. Get the paper at http://dl.acm.org/citation.cfm?id=2382237.

There are currently dozens of freely available tools to combat phishing and other web-based scams, many of which are web browser extensions that warn users when they are browsing a suspected phishing site. We developed an automated test bed for testing anti-phishing tools. We used 200 verified phishing URLs from two sources and 516 legitimate URLs to test the effectiveness of 10 popular anti-phishing tools. Only one tool was able to consistently identify more than 90% of phishing URLs correctly; however, it also incorrectly identified 42% of legitimate URLs as phish. The performance of the other tools varied considerably depending on the source of the phishing URLs. Of these remaining tools, only one correctly identified over 60% of phishing URLs from both sources. Performance also changed significantly depending on the freshness of the phishing URLs tested. Thus we demonstrate that the source of phishing URLs and the freshness of the URLs tested can significantly impact the results of anti-phishing tool testing. We also demonstrate that many of the tools we tested were vulnerable to simple exploits. In this paper we describe our anti-phishing tool test bed, summarize our findings, and offer observations about the effectiveness of these tools as well as ways they might be improved.

Your attention please: designing security-decision UIs to make genuine risks ...

Cristian Bravo-Lillo

Presented at SOUPS 2013, at Newcastle, UK. We designed and tested attractors for computer security dialogs: user-interface modifications used to draw users’ attention to the most important information for making decisions. Some of these modifications were purely visual, while others temporarily inhibited potentially-dangerous behaviors to redirect users’ attention to salient information. We conducted three between-subjects experiments to test the effectiveness of the attractors. In the first two experiments, we sent participants to perform a task on what appeared to be a third-party site that required installation of a browser plugin. We presented them with what appeared to be an installation dialog from their operating system. Participants who saw dialogs that employed inhibitive attractors were significantly less likely than those in the control group to ignore clues that installing this software might be harmful. In the third experiment, we attempted to habituate participants to dialogs that they knew were part of the experiment. We used attractors to highlight a field that was of no value during habituation trials and contained critical information after the habituation period. Participants exposed to inhibitive attractors were two to three times more likely to make an informed decision than those in the control condition. Get this paper at http://cups.cs.cmu.edu/soups/2013/program.html.

security and usable.ppt

Saba651353

Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009

Jason Hong

Privacy And Copyrights

muhammad-Sulaiman

social networking .pptx

AdityaSingh875352

Technological Awareness for Teens and Young Adults.ppt

ssuserc4a497

Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010

Jason Hong

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

Jason Hong

Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...

Caveon Test Security

Test security has been emerging as a cohesive discipline for the past ten years. There are no college courses that teach test security. And, even if there were, many practitioners don't have time to take those classes. How do you stay abreast of current developments? How do you train your staff in latest best practices if you don't know about them? Are there resources out there, and how do you find them? In this webinar, Caveon will host several special guest practitioners from various industries. These test security veterans have had to answer these very questions. They will address how continuing education will help you improve test security in your organization.

INSPIRE Workshop 2014 SlidesINSPIRE_Network

10 Testing Myths in an Age of Misinformation (1).pptx

Conor Fitzgerald

Methods for academic honesty workshop presentationKimberly Jordan Seeber

Caveon Webinar Series: Six Security Challenges to Your High Stakes Test Prog...

Caveon Test Security

Presented by Dennis Maynes, Chief Scientist Data Forensics and Steve Addicott, Vice President, Caveon Test Security It’s no secret, your items and tests are under attack. The problem is big, and the challenges are…well…challenging. In this informative session, Dennis Maynes and Steve Addicott explore six security challenges initially faced by the IT certification industry, but which now impact all high stakes tests in Certification/Licensure, Higher Ed, K12 Education, and I/O. These challenges include: • Proxy test taking is big business • Braindump usage continues to undermine trustworthy test results • Test theft appears to be unchecked • Technology greatly facilitates collusive test taking • Stakeholder support must be won • Many test administration models present dilemmas While the threats are severe, many test program directors choose to stand up and fight. Maynes and Addicott present both tried and tested as well as new methods to both measure and manage against these threats.

Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...

Jason Hong

Caveon Webinar Series: The Good and Bad of Online Proctoring

Caveon Test Security

These slides were shared during an informational Webinar presented by the Caveon Webinar Series with guest panelists David Foster, CEO, Caveon Test Security, and Harry Layman, Executive Director of Digital Assessment Planning, The College Board. Description: Online proctoring is rapidly garnering the attention of testing programs that want better security, a longer reach, convenience, and lower test administration costs. Today there are several vendors offering services in this area, and they differ widely in the type and quality of services they provide. What features of online proctoring boost test security and which actually hurt test security? These slides focus on the major security threats during test administration and how those threats can be managed by different features of online proctoring. The slides provided should help an organization make sense of the variety of offerings available, and to select online proctoring features that improve the integrity of their tests. Please join our LinkedIn group "Caveon Test Security" to join this and other discussions. Please contact richelle.gruber@caveon.com with any questions.

Foolproof Assessmentsdaniel.pahlow

User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...

Jason Hong

Utilizing OSINT in Threat Analytics and Incident Response

Christopher Beiring

Validating potential incidents or indicators of compromise (IOCs) in today’s fast paced environment can be somewhat overwhelming and difficult. Sometimes a team does not believe they have all of the tools and resources to quickly and accurately identify, verify, and rectify a potential indicator in their environment in time. Sometimes these investigations are performed yet may leave out valuable key pieces of data that would benefit the prevention or hardening against future similar attacks. Everyone wants the expensive and shiny tool that vendors offer, but sometimes budgets do not always allow teams access to the latest and greatest, and honestly, not all tools are equal. Relying on one piece of data for IOC validation is a bad idea, even if that resource is the best in the industry. The approach is to use not only the tools you have, but to augment them with existing open source tools that will enrich your investigation, provide accuracy, and supplement your ability to quickly and accurately respond to valid threats in order to increase your security team’s effectiveness. The purpose of this presentation will be to walk users through the value of Open Source Intel and how to use the tools available effectively to help research and identify potential issues during an incident response engagement.

The state of web applications (in)security @ ITDays 2016

Tudor Damian

The global security landscape is changing, now more than ever. With cloud computing gaining momentum and advanced persistent threats becoming a common occurrence, the industry is taking a more focused and serious approach, especially after some of last years' heavily publicized cyber breaches. Join this session for a high-level overview on the industry trends in the area of web application security, and find out why security is bound to become a hot topic in any organization developing or using web applications.

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

Similar to Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007

Jason Hong

Your attention please: designing security-decision UIs to make genuine risks ...

Cristian Bravo-Lillo

security and usable.ppt

Saba651353

Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009

Jason Hong

Privacy And Copyrights

muhammad-Sulaiman

social networking .pptx

AdityaSingh875352

Technological Awareness for Teens and Young Adults.ppt

ssuserc4a497

Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010

Jason Hong

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

Jason Hong

Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...

Caveon Test Security

INSPIRE Workshop 2014 SlidesINSPIRE_Network

10 Testing Myths in an Age of Misinformation (1).pptx

Conor Fitzgerald

Methods for academic honesty workshop presentationKimberly Jordan Seeber

Caveon Webinar Series: Six Security Challenges to Your High Stakes Test Prog...

Caveon Test Security

Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...

Jason Hong

Caveon Webinar Series: The Good and Bad of Online Proctoring

Caveon Test Security

Foolproof Assessmentsdaniel.pahlow

User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...

Jason Hong

Utilizing OSINT in Threat Analytics and Incident Response

Christopher Beiring

The state of web applications (in)security @ ITDays 2016

Tudor Damian

Similar to Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish (20)

Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007

Your attention please: designing security-decision UIs to make genuine risks ...

security and usable.ppt

Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009

Privacy And Copyrights

social networking .pptx

Technological Awareness for Teens and Young Adults.ppt

Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

Caveon Webinar Series - Learning and Teaching Best Practices in Test Security...

INSPIRE Workshop 2014 Slides

10 Testing Myths in an Age of Misinformation (1).pptx

Methods for academic honesty workshop presentation

Caveon Webinar Series: Six Security Challenges to Your High Stakes Test Prog...

Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...

Caveon Webinar Series: The Good and Bad of Online Proctoring

Foolproof Assessments

User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...

Utilizing OSINT in Threat Analytics and Incident Response

The state of web applications (in)security @ ITDays 2016

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Mind map of terminologies used in context of Generative AI

Kumud Singh

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

Free Complete Python - A step towards Data Science

RinaMondal9

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

RESUME BUILDER APPLICATION Project for students

KAMESHS29

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Climate Impact of Software Testing at Nordic Testing Days

Mind map of terminologies used in context of Generative AI

UiPath Test Automation using UiPath Test Suite series, part 6

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Removing Uninteresting Bytes in Software Fuzzing

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

20240605 QFM017 Machine Intelligence Reading List May 2024

Free Complete Python - A step towards Data Science

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

Microsoft - Power Platform_G.Aspiotis.pdf

Epistemic Interaction - tuning interfaces to provide information for AI support

By Design, not by Accident - Agile Venture Bolzano 2024

RESUME BUILDER APPLICATION Project for students

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

Video Streaming: Then, Now, and in the Future

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

1. CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to Fall for Phish S. Sheng, B. Maginien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, E. Nunge

2. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/  Online game • http://cups.cs.cmu.edu/antiphishing_phil/  Teaches people how to protect themselves from phishing attacks • Identify phishing URLs • Use web browser cues • Find legitimate sites with search engines Anti-Phishing Phil

3. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Why a game?  Security is a secondary task  Learning by doing  Fun and engaging  Better strategies

10. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ More about the game  Four rounds • Increasing difficulty • Two minutes in each round  Eight URL “worms” in each round • Four phishing and four legitimate URLs • Users must correctly identify 6 out of 8 URLs to advance

11.

12. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ User Study  Test participants’ ability to identify phishing web sites before and after training • 10 URLs before training, 10 after, randomized • Up to 15 minutes of training  Training conditions: • Web-based phishing education • Tutorial • Game  14 participants in each condition • Screened out security experts • Younger, college students

13. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/

14. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/

15. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Falling for Phishing 0.43 0.34 0.12 0.19 0.17 0.38 0 0.1 0.2 0.3 0.4 0.5 Existing training materials Tutorial Game FalseNegativeRate Pre test Post test

16. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Misidentifying Legitimate Sites 0.30 0.27 0.30 0.41 0.21 0.14 0 0.1 0.2 0.3 0.4 0.5 Existing training material Tutorial Game FalsePositiveRate Pre test Post test

17. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Results  Game group had the best performance overall  Game group had fewest false positives  No significant difference in false negatives among the three groups

18. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Field Study

19.

20. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Study Set-up  Test participants’ ability to identify phishing web sites after training and the ability to retain the knowledge • 6 URL quiz  before training, after training, one week later  Conditions: • Control • Game  Completed training • 423 in training group • 292 in control group

21. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Preliminary Results 31% 60% 92% 75% 81% 93% 0% 20% 40% 60% 80% 100% Novice Intermediate Expert Pretest Post test

22. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Comments

23. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Press

24. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Deployment  We’ve released Phil under a Creative Commons non-commercial license  Over the past few weeks we’ve been contacted by several banks, retailers, other companies, and government agencies who are interested in using Phil in their employee training programs • Can’t get employees to read security memos, but think they will be willing to play a game and learn something  We’re working on setting up a commercial licensing program, customized versions

25. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Portuguese Version

26. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Future Plans  Analyze field study results to understand how game can be further improved  Continue to update game and use data from public usage to evaluate and improve  Consider adding new modules to teach different skills or reinforce skills through alternate approaches  Consider special versions for kids, elderly, specific brands, etc.

27. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ Acknowledgements  Members of Supporting Trust Decision research group  Members of CUPS Lab

28. CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Play Anti-Phishing Phil: http://cups.cs.cmu.edu/antiphishing_phil/

Editor's Notes

Good afternoon everyone, I am Steve Sheng from Carnegie Mellon University, I am part of the CUPS lab at CMU. Today, I will be talking about some of the work that we did at CUPS lab in order to find solutions to train users about phishing attacks. The work that I will be presenting today was jointly done with Bryant Maginien, Ponguru Kumaragu, Alessandro Acquisti, Lorrie Cranor, Jason Hong and Elizabeth Nunge.
Educating user have some constraints, The first constraint is that security is a secondary task, people are not visiting a website to look at its security features, they go to the website to complete transactions. Another constraint is people like learning by doing, they don’t like to sit down and read training materials. Education is more effective when users learn by doing rather than by learning the classroom instructions.
The scene: is sea, we have a small fish called Phil, her job is to eat all the worms.
So today, Phil swim by a worm, the worm is identified by a URL. A good worm is a legitimate URL, whereas a bad worm is a bait dropped by the phishers.
Phil needs to score 6 / 8 to move on to the next rounds, and the end of the round, phil got a chance to reflect what he missed.
In between rounds, we also have short tutorials to teach Phil better strategies to identify phishing. In this example, Phil’s father teaches Phil how to use a search engine.
STUDY WAS A THINK ALOUD STUDY that lasts 45 - 60 MINS.. WE CAREFULLY RECRUITED NON-EXPERTS USING THREE SPECIFIC QUESTIONS - THE DEIFNITION OF NON EXPERT IS THE SAME AS IN PREVIOUS STUDY THAT I SAID. It aimed at testing the participants’ ability to identify phishing websites. We presented them 10 websites before training, followed by a 15 minute break where users perform one of the three tasks: they read webased phishing education, they read the game tutorial, or they played the game. Users are randomly assigned in each of the conditions. There are fourteen non-expert participants in each condition, for a total of 42 participants.
All of them are statistical significant, there is no statistical difference between them in Either pre test or post test.
There are statistically different.
To summarize, there are -- No significant difference in false negatives among the three groups - Game group performed best in false positives - Game condition performed best in total correctness Effect between the tutorial and the game conditions not statistically significant. The next question we want to answer, is that is the increase in performance due to learning or raising awareness.
http://www.pcworld.com/article/id,137868-c,cybercrime/article.html http://www.news.com/8301-10784_3-9787549-7.html?tag=nefd.only http://www.cbc.ca/technology/story/2007/09/26/phil-phish.html http://www.pcpro.co.uk/news/126386/phishers-caught-hook-line-and-sinker.html http://www.businessweek.com/the_thread/blogspotting/archives/2007/09/play_with_anti-.html

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

Recommended

Recommended

More Related Content

Similar to Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

Similar to Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish (20)

Recently uploaded

Recently uploaded (20)

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

Editor's Notes