Clickthrough Testing for Real-World Phishing Simulations

Dupuis, Marc; Smith, Samantha

doi:10.1145/3368308.3415443

Proceedings of the 21st Annual Conference on Information Technology Education 2020

DOI: 10.1145/3368308.3415443

|View full text |Cite

Clickthrough Testing for Real-World Phishing Simulations

Marc Dupuis

Samantha Smith

Abstract: In this paper, we begin by discussing the challenges associated with phishing email simulations. In part, we note how challenging it is to achieve realism in such a simulation and what this may mean for the results obtained. Next, we detail a real-world phishing simulation that targeted participants involved in an unrelated research project. CCS CONCEPTS • Security and privacy → Social aspects of security and privacy; Privacy protections; Phishing.

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...

Citation Types

Supporting

Mentioning

Contrasting

Year Published

2021

2022

Publication Types

Select...

Article2

Relationship

Self Cite0

Independent2

Authors

Journals

Cited by 2 publications

(1 citation statement)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the employee follows these guidelines, the money is likely to be transferred. After all, realism in these factors is often what makes a Phishing email successful [6].…”

mentioning

confidence: 99%

Moving from employee compliance to employee success in the cyber security domain

Renaud

Flowerday

Dupuis

2021

Computer Fraud & Security

View full text Add to dashboard Cite

Recently, the Wall Street Journal published an article about the use of fear in Cyber Security messaging [11]. The thrust of the author's argument was that the use of fear was unwise and counter-productive. Why is fear used in this context? Because the user of computer systems is often perceived to be the "weakest link" when it comes to cyber security. This is particularly true where the consequences of an employee's unwise action could be costly to the organisation [7].Fear is merely the tool; compliance with security policy mandates is the aim, the underlying assumption being that fear is an effective mechanism to achieve compliance, and, transitively, more secure behaviours. This approach's flaws are two-fold. On the one hand, people dislike fear appeals [5], and many will respond negatively and not, as anticipated, by complying. But, even if they do comply, that is not necessarily a solution to the problem of insecure human behaviours. This is because this approach builds on yet another flawed assumption: that organisational policies are sufficient and comprehensive. This assumption is naïve for two reasons. The first is that cyber criminals innovate and change their tactics daily [9], while security policies take months to finalise. The second is that focusing on compliance attempts to turn employees into robotic rule followers. The underlying sentiment of "compliance drives" is that if employees would only follow all the mandated rules and follow processes, no security breaches would occur. While society cannot work without rules, this reliance on security policies is not appropriate in a domain as dynamic and fluid as cyber security [13].

show abstract

“…If the employee follows these guidelines, the money is likely to be transferred. After all, realism in these factors is often what makes a Phishing email successful [6].…”

mentioning

confidence: 99%

Moving from employee compliance to employee success in the cyber security domain

Renaud

Flowerday

Dupuis

2021

Computer Fraud & Security

View full text Add to dashboard Cite

show abstract

Developing metrics to assess the effectiveness of cybersecurity awareness program

Chaudhary

Gkioulos

Katsikas

2022

Journal of Cybersecurity

View full text Add to dashboard Cite

Cybersecurity awareness (CSA) is not just about knowing, but also transforming things learned into practice. It is a continuous process that needs to be adjusted in subsequent iterations to improve its usability as well as sustainability. This is possible only if a CSA program is reviewed and evaluated timely. Review and evaluation of an awareness program offer an insight into the program's effectiveness on the audience and organization, an invaluable piece of information for the continuous improvement of the program. Further, it provides the information required by the management and sponsor to decide on whether to invest in the program or not. Despite these advantages, there does not exist a common understanding of what factors to measure and how to measure them during the evaluation process. As a result, we have proposed evaluation metrics for the purpose. In order to do so, we performed a literature review of 32 papers mainly to extract the following data: (i) what factors did the paper measure, and (ii) how did it measure the factors? Next, we adapted the European Literacy Policy Network's four indicators (i.e. impact, sustainability, accessibility, and monitoring) for awareness evaluation to make it appropriate for evaluating a CSA program. We believe that measuring all four indicators will contribute to making the evaluation process systematic, complete, and replicable. More importantly, it will help to produce more inclusive, accurate, and usable results for the future enhancement of the program.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Clickthrough Testing for Real-World Phishing Simulations

Cited by 2 publications

References 4 publications

Moving from employee compliance to employee success in the cyber security domain

Moving from employee compliance to employee success in the cyber security domain

Developing metrics to assess the effectiveness of cybersecurity awareness program

Contact Info

Product

Resources

About