1887
Volume 24, Issue 3
  • ISSN 1572-0373
  • E-ISSN: 1572-0381
USD
Buy:$35.00 + Taxes

Abstract

Abstract

This article presents an experimental analysis of several cybersecurity risks affecting the human attack surface of Fairmont State University, a mid-size state university. We consider two social engineering experiments: a phishing email barrage and a targeted spearphishing campaign. In the phishing experiment, a total of 4,769 students, faculty, and staff on campus were targeted by 90,000 phishing emails. Throughout these experiments, we explored the effectiveness of three types of phishing awareness training. Our results show that phishing emails that make it through IT’s defenses pose a clear and present threat to large educational organizations. Moreover, we found that simple, visual, instructional guides are more effective training tools than long documents or interactive training.

Loading

Article metrics loading...

/content/journals/10.1075/is.22053.cuc
2024-02-15
2024-12-07
Loading full text...

Full text loading...

References

  1. Amos, Z.
    (2022) Why do phishing emails have such obvious typos?Security Boulevard.
    [Google Scholar]
  2. Burns, A. J., Johnson, M. E., and Caputo, D. D.
    (2019) Spear phishing in a barrel: Insights from a targeted phishing campaign. Journal of Organizational Computing and Electronic Commerce, 29(1):24–39. 10.1080/10919392.2019.1552745
    https://doi.org/10.1080/10919392.2019.1552745 [Google Scholar]
  3. Competition, A. and Commission, C.
    Competition, A. and Commission, C. (2018).
  4. Cuchta, T., Blackwood, B., Devine, T. R., Niichel, R. J., Daniels, K. M., Lutjens, C. H., Maibach, S., and Stephenson, R. J.
    (2019) Human risk factors in cybersecurity. InProceedings of the 20th Annual SIG Conference on Information Technology Education. ACM. 10.1145/3349266.3351407
    https://doi.org/10.1145/3349266.3351407 [Google Scholar]
  5. Dhamija, R., Tygar, J. D., and Hearst, M.
    (2006) Why phishing works. InProceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’06, pages581–590, New York, NY, USA. ACM. 10.1145/1124772.1124861
    https://doi.org/10.1145/1124772.1124861 [Google Scholar]
  6. Downs, J. S., Holbrook, M., and Cranor, L. F.
    (2007) Behavioral response to phishing risk. InProceedings of the Anti-phishing Working Groups 2Nd Annual eCrime Researchers Summit, eCrime ’07, pages37–44, New York, NY, USA. ACM. 10.1145/1299015.1299019
    https://doi.org/10.1145/1299015.1299019 [Google Scholar]
  7. Downs, J. S., Holbrook, M. B., and Cranor, L. F.
    (2006) Decision strategies and susceptibility to phishing. InProceedings of the Second Symposium on Usable Privacy and Security, SOUPS ’06, pages79–90, New York, NY, USA. ACM. 10.1145/1143120.1143131
    https://doi.org/10.1145/1143120.1143131 [Google Scholar]
  8. Hanna, K. T.
    (2021) Definition: attack surface. WhatIs.com.
    [Google Scholar]
  9. Inc, P.
  10. Jones, M.
    (2015) The effects of conformity and training in a phishing context: Conforming to the school of phish. Master’s thesis, The University of Alabama in Huntsville.
    [Google Scholar]
  11. Khonji, M., Iraqi, Y., and Jones, A.
    (2013) Phishing detection: A literature survey. IEEE Communications Surveys Tutorials, 15(4):2091–2121. 10.1109/SURV.2013.032213.00009
    https://doi.org/10.1109/SURV.2013.032213.00009 [Google Scholar]
  12. Matamoros-Macias;, R. B. K. S. N. S. B. and Ipsen, Y.
    Matamoros-Macias;, R. B. K. S. N. S. B. and Ipsen, Y. (2019) Phishing and cybercrime risks in a university student community. International Journal of Cybersecurity Intelligence & Cybercrime, 21.
    [Google Scholar]
  13. Mathews, L.
    (2017) Phishing scams cost american businesses half a billion dollars a year. Forbes.
    [Google Scholar]
  14. Mimecast
    Mimecast (2019) Email security risk assessment: Quarterly report, june 2019. Accessed: 2019-05-30.
    [Google Scholar]
  15. Moody, G. D., Galletta, D. F., and Dunn, B. K.
    (2017) Which phish get caught? an exploratory study of individuals’ susceptibility to phishing. European Journal of Information Systems, 26(6):564–584. 10.1057/s41303‑017‑0058‑x
    https://doi.org/10.1057/s41303-017-0058-x [Google Scholar]
  16. Oliveira, D., Rocha, H., Yang, H., Ellis, D., Dommaraju, S., Muradoglu, M., Weir, D., Soliman, A., Lin, T., and Ebner, N.
    (2017) Dissecting spear phishing emails for older vs young adults. InProceedings of the 2017 CHI Conference on Human Factors in Computing Systems. ACM. 10.1145/3025453.3025831
    https://doi.org/10.1145/3025453.3025831 [Google Scholar]
  17. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J.
    (2010) Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. InProceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10, pages373–382, New York, NY, USA. ACM. 10.1145/1753326.1753383
    https://doi.org/10.1145/1753326.1753383 [Google Scholar]
  18. Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E.
    (2007) Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. InProceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS ’07, pages88–99, New York, NY, USA. ACM. 10.1145/1280680.1280692
    https://doi.org/10.1145/1280680.1280692 [Google Scholar]
  19. Technologies, P.
    Technologies, P. (2019) Cybersecurity threatscape q4 2018. https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-2018-q4/
  20. Williams, E. J., Hinds, J., and Joinson, A. N.
    (2018) Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 1201:1–13. 10.1016/j.ijhcs.2018.06.004
    https://doi.org/10.1016/j.ijhcs.2018.06.004 [Google Scholar]
  21. (2018) Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 201:1 – 13. 10.1016/j.ijhcs.2018.06.004
    https://doi.org/10.1016/j.ijhcs.2018.06.004 [Google Scholar]
  22. Young-McLear, K., Wyman, G., Benin, J., and Young-McLear, Y.
    (2016) A White Hat Approach to Identifying Gaps Between Cybersecurity Education and Training: A Social Engineering Case Study, pages229–237.
    [Google Scholar]
  23. Zhao, R., John, S., Karas, S., Bussell, C., Roberts, J., Six, D., Gavett, B., and Yue, C.
    (2017) Design and evaluation of the highly insidious extreme phishing attacks. Computers & Security, 701:634–647. 10.1016/j.cose.2017.08.008
    https://doi.org/10.1016/j.cose.2017.08.008 [Google Scholar]
/content/journals/10.1075/is.22053.cuc
Loading
/content/journals/10.1075/is.22053.cuc
Loading

Data & Media loading...

  • Article Type: Research Article
Keyword(s): phishing; security; social engineering
This is a required field
Please enter a valid email address
Approval was successful
Invalid data
An Error Occurred
Approval was partially successful, following selected items could not be processed due to error