Steve Sheng
Alessandro Acquisti
Lorrie Faith Cranor
Jason Hong
ABSTRACT
In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.
- Abdi, H. (2007). Signal detection theory. In: Salkind, N.J. (Ed.), Encyclopedia of Measurement and Statistics. Thousand Oaks (CA), Sage.Google Scholar
- Anderson, J. R. Rules of the Mind. Lawrence Erlbaum Associates, Inc., 1993.Google Scholar
- Camtasia Studio. Retrieved Nov 9, 2006. http://www.techsmith.com/camtasia.asp.Google Scholar
- Dhamija, R. and J. D. Tygar. 2005. The battle against phishing: Dynamic Security Skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 06--08, 2005). SOUPS '05, vol. 93. ACM Press, New York, NY, 77--88. DOI= http://doi.acm.org/10.1145/1073001.1073009. Google Scholar
- Dhamija, R., J. D. Tygar. and M. Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22--27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581--590. DOI= http://doi.acm.org/10.1145/1124772.1124861. Google Scholar
- Donovan, M. S., Bransford, J. D., & Pellegrino, J. W. 1999. How people learn: Bridging research and practice. Washington, D.C.: National Academy Press.Google Scholar
- Downs, J., M. Holbrook and L. Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12--14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90. DOI= http://doi.acm.org/10.1145/1143120.1143131. Google Scholar
- eBay. Spoof Email Tutorial. Retrieved March 7, 2006, http://pages.ebay.com/education/spooftutorial/.Google Scholar
- Evers, J. Security Expert: User education is pointless. Retrieved, Jan 13, 2007, http://news.com.com/2100-7350_3-6125213.html.Google Scholar
- Federal Trade Commission. An E-Card for You game. Retrieved Nov 7, 2006, http://www.ftc.gov/bcp/conline/ecards/phishing/index.html.Google Scholar
- Federal Trade Commission. How Not to Get Hooked by a Phishing Scam. Retrieved Nov 7, 2006, http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.htm.Google Scholar
- Ferguson, A. J. 2005. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly. 2005, 1. Retrieved March 22, 2006, http://www.educause.edu/ir/library/pdf/eqm0517.pdf.Google Scholar
- Gee, J. P. What Video Games Have to Teach Us About Learning and Literacy. Palgrave Macmillan, Hampshire, England, 2003. Google Scholar
- Gorling, S. 2006. The myth of user education. In Proceedings of the 16th Virus Bulletin International Conference.Google Scholar
- Herzberg, A., and Gbara, A. 2004. TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Cryptology ePrint Archive, Report 2004/155. http://eprint.iacr.org/2004/155.Google Scholar
- Jagatic, T., N. Johnson, M. Jakobsson and F. Menczer. Social Phishing. To appear in Communications of the ACM. Retrieved March 7, 2006, http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf. Google Scholar
- Jakobsson, M., and Myers, S., Eds. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, 2006. Google Scholar
- James, L. 2005. Phishing Exposed. Syngress, Canada. Google Scholar
- Johnson, B. R., and Koedinger, K. R. 2002. Comparing instructional strategies for integrating conceptual and procedural knowledge. In Proceedings of the Annual Meeting {of the} North American Chapter of the International Group for the Psychology of Mathematics Education, vol. 1--4, pp. 969--978.Google Scholar
- Klein, G. Sources of power: How people make decisions? The MIT Press Cambridge, Massachusetts The MIT Press, Cambridge, Massachusetts, London, England, February 1999.Google Scholar
- Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. 2007. Teaching Johnny not to fall for phish. Tech. rep., Carnegie Mellon University. http://www.cylab.cmu.edu/files/cmucylab07003.pdf.Google Scholar
- Kumaraguru, P., Y. Rhee, A. Acquisti, L. Cranor, J. Hong and E. Nunge. 2007. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In Proceedings of the 2007 Computer Human Interaction, CHI 2007. Google Scholar
- Macmillan, N. A., Creelman, C. D. 2005. Detection theory: user's guide (2nd edition).Mahwah (NJ): Erlbaum.Google Scholar
- Maldonado, H., Lee, J.-E. R., Brave, S., Nass, C., Nakajima, H., Yamada, R., Iwamura, K., and Morishima, Y. 2005. We learn better together: enhancing elearning with emotional characters. In CSCL '05: Proceedings of the 2005 conference on Computer support for collaborative learning, International Society of the Learning Sciences, pp. 408--417. Google Scholar
- Mayer, R. E. Multimedia Learning. New York Cambridge University Press, 2001. Google Scholar
- Microsoft. Recognizing phishing scams and fraudulent emails. Retrieved Oct 15, 2006. http://www.microsoft.com/athome/security/email/phishing.mspx.Google Scholar
- MillerSmiles.co.uk phishing archive. Retrieved April 15, 2006. http://www.millersmiles.co.uk/Google Scholar
- Moreno, R., Mayer, R. E., Spires, H. A., and Lester, J. C. 2001. The case for social agency in computer-based teaching: Do students learn more deeply when they interact with animated pedagogical agents? Cognition and Instruction 19, 2, 177--213.Google Scholar
- MySecureCyberspace. Uniform Resource Locator (IRL). Retrieved Oct 15, 2006. http://www.mysecurecyberspace.com/encyclopedia/index/uni form-resource-locator-url-.html.Google Scholar
- New York State Office of Cyber Security & Critical Infrastructure Coordination. Gone Phishing.. A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. Aggregate Exercise Results for public release.Google Scholar
- Quinn, C. N. 2005. Engaging Learning: Designing e-Learning Simulation Games. Pfeiffer. Google Scholar
- Repenning, A., and Lewis, C. Playing a game: The ecology of designing, building and testing games as educational activities. In ED-Media, World Conference on Educational Multimedia, Hypermedia & Telecommunications (2005), Association for the Advancement of Computing in Education.Google Scholar
- Schneier, B. 2000. Semantic Attacks: The Third Wave of Network Attacks. Crypto-Gram Newsletter. Retrieved Sep 2, 2006, http://www.schneier.com/crypto-gram-0010.html#1.Google Scholar
- Wu, M. Fighting Phishing at the User Interface. 2006. MIT PhD. thesis. http://groups.csail.mit.edu/uid/projects/phishing/minwuthesis.pdf. Google Scholar
- Wu, M., Miller R. C. and Little, G. 2006. Web Wallet: Preventing Phishing Attacks By Revealing User Intentions. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12--14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90. DOI=http://doi.acm.org/10.1145/1143120.1143133. Google Scholar
- Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22--27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 601-610. DOI=http://doi.acm.org/10.1145/1124772.1124863 Google Scholar
- Ye, Z. and S. Smith. 2002. Trusted Paths for Browsers. In Proceedings of the 11th USENIX Security Symposium. pp. 263--279. USENIX Association. Berkeley, CA, USA. Google Scholar
- Yee, K. P. and Sitaker K. 2006. PassPet: Convenient Password Management And Phishing Protection. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12--14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90. DOI=http://doi.acm.org/10.1145/1143120.1143126. Google Scholar
- Zhang, Y., S. Egelman, L. Cranor, and J. Hong. 2007. Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28 February -2 March, 2007.Google Scholar
- Zhang, Y., J. Hong., and L. Cranor, and 2007. CANTINA: a Content-Based Approach to Detecting Phishing Websites. In Proceedings of the 16th International World Wide Web Conference (WWW2007), Banff, Alberta, Canada, May 8--12, 2007 Google Scholar
Index Terms
- Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish
Recommendations
Protecting people from phishing: the design and evaluation of an embedded training email system
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsPhishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an ...
School of phish: a real-world evaluation of anti-phishing training
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and SecurityPhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated ...
Teaching Johnny not to fall for phish
Phishing attacks, in which criminals lure Internet users to Web sites that spoof legitimate Web sites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the ...
Comments