Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

CMU Usable Privacy and Security Laboratoryhttp://cups.cs.cmu.edu/

Anti-Phishing PhilThe Design and Evaluation of a

Game That Teaches People Not to Fall for Phish

S. Sheng, B. Maginien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, E. Nunge

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2


Phishing emailPhishing emailSubject: eBay: Urgent Notification From Billing Department


We regret to inform you that you eBay account could be suspended if you don’t update your account information.


https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerid=2&sidteid=0


What is phishing?What is phishing?

Social engineering attack

Misrepresents electronic identity

Tricks individuals into revealing personal credentials

Defrauds users

Financial Services Technology Consortium. Understanding and countering the phishing threat: A financial serviceindustry perspective. 2005.


Countermeasures for phishingCountermeasures for phishing

Silently eliminating the threat• Regulatory & policy solutions

• Email filtering (SpamAssasin)

Warning users about the threat• Toolbars (SpoofGuard, TrustBar)

Training users not to fall for attacks


Design RationaleDesign Rationale

Security is a secondary task

Learning by doing

Fun and engaging

Better strategies


Online game• http://cups.cs.cmu.edu/antiphishing_phil/

Teaches people how to protect themselves from phishing attacks• Identify phishing URLs• Use web browser cues• Find legitimate sites with search engines

Anti-Phishing PhilAnti-Phishing Phil


More about the gameMore about the game

Four rounds• Two minutes in each round

• Increasing difficulty

Eight URL “worms” in each round• Four phishing and four legitimate URLs

• Users must correctly identify 6 out of 8 URLs to advance

In-between round tutorials


User StudyUser Study

Test participants’ ability to identify phishing web sites before and after training• 10 URLs before training, 10 after, randomized• Up to 15 minutes of training

Training conditions: • Web-based phishing education• Tutorial • Game

14 participants in each condition• Screened out security experts• Younger, college students


ResultsResults

No significant difference in false negatives among the three groups

Game group had fewest false positives


The effectsThe effects

Improvement could be due to • Learning to distinguish legitimate from phish

• Raising suspicion about all web sites

Learning is better than raising suspicion• Fewer false positives

• Will help people more in the long run


ConclusionsConclusions

Used signal detection theory to measure effects• Existing training materials increased suspicion

with little learning

• Game did not raise suspicion but resulted in players learning to distinguish legitimate from phish In some cases a little more suspicion would have

helped

Game condition performed best overall!


AcknowledgementsAcknowledgements

Members of Supporting Trust Decision research group

Members of CUPS lab

CMU Usable Privacy and Security Laboratory

http://cups.cs.cmu.edu/

Play Anti-Phishing Phil:http://cups.cs.cmu.edu/antiphishing_phil/


Falling for PhishingFalling for Phishing

0.43

0.34

0.12

0.19 0.17

0.38

0

0.1

0.2

0.3

0.4

0.5

Existing trainingmaterials

Tutorial Game

Fal

se N

egat

ive

Rat

e

Pre test

Post test


Misidentifying Legitimate SitesMisidentifying Legitimate Sites

0.300.27

0.30

0.41

0.210.14

0

0.1

0.2

0.3

0.4

0.5

Existing trainingmaterial

Tutorial Game

Fa

lse

Po

sit

ive

Ra

te

Pre test

Post test


Lessons LearnedLessons Learned

Pilot test• Users be able to identify phishing

• But they misidentify real ones

Users tend to get the specifics, but not the underlying concepts • Conceptual – procedural knowledge

User didn’t ask father for help too much

Date post:	13-Jan-2016
Category:	Documents
Upload:	brandi
View:	24 times
Download:	0 times

Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to Fall for Phish

Documents