Why phishing still works: User strategies for combating phishing attacks

Alsharnouby, Mohamed; Alaca, Furkan; Chiasson, Sonia

doi:10.1016/j.ijhcs.2015.05.005

Cited by 188 publications

(136 citation statements)

References 37 publications

(46 reference statements)

Supporting

Mentioning

129

Contrasting

Order By: Relevance

“…There is also research about using eye trackers to better understand human users' cognitive processes when interacting with security-sensitive systems, e.g., recently Miyamoto et al [22] conducted a study on using eye-tracking data to link UI elements to the detection of possible phishing websites. Alsharnouby et al [3] used eye trackers to assess the influence of browser security indicators and the awareness of phishing on a user's ability to avoid cyber attacks. While there is quite some work on the combined use of eye tracking and cognitive modeling, to the best of our knowledge, except some general recommendations such as those reported in [15] still limited work has been done on combining the two techniques for cyber security applications.…”

Section: Related Workmentioning

confidence: 99%

When Eye-Tracking Meets Cognitive Modeling: Applications to Cyber Security Systems

Yuan

Rusconi

et al. 2017

Human Aspects of Information Security, Privacy and Trust

View full text Add to dashboard Cite

Abstract. Human cognitive modeling techniques and related software tools have been widely used by researchers and practitioners to evaluate the effectiveness of user interface (UI) designs and related human performance. However, they are rarely used in the cyber security field despite the fact that human factors have been recognized as a key element for cyber security systems. For a cyber security system involving a relatively complicated UI, it could be difficult to build a cognitive model that accurately captures the different cognitive tasks involved in all user interactions. Using a moderately complicated user authentication system as an example system and CogTool as a typical cognitive modeling tool, this paper aims to provide insights into the use of eye-tracking data for facilitating human cognitive modeling of cognitive tasks more effectively and accurately. We used visual scan paths extracted from an eye-tracking user study to facilitate the design of cognitive modeling tasks. This allowed us to reproduce some insecure human behavioral patterns observed in some previous lab-based user studies on the same system, and more importantly, we also found some unexpected new results about human behavior. The comparison between human cognitive models with and without eye-tracking data suggests that eye-tracking data can provide useful information to facilitate the process of human cognitive modeling as well as to achieve a better understanding of security-related human behaviors. In addition, our results demonstrated that cyber security research can benefit from a combination of eye-tracking and cognitive modeling to study human behavior related security problems.

show abstract

Section: Related Workmentioning

confidence: 99%

When Eye-Tracking Meets Cognitive Modeling: Applications to Cyber Security Systems

Yuan

Rusconi

et al. 2017

Human Aspects of Information Security, Privacy and Trust

View full text Add to dashboard Cite

show abstract

“…PhishTank provides data for download or access via an API call under a restrictive license. On the other hand, Alexa provides commercial web traffic data, global rankings, and analytics of about 30 million websites (Alsharnouby et al, 2015).…”

Section: Proposed Schemementioning

confidence: 99%

“…Such fake websites or electronic communication usually comes with the feel or patterns of genuine communication or original sites. Lack of knowledge of security indicators, bounded attention, visual deception and lack of computer system knowledge on the part of unsuspecting users sometimes assists the phishers to have a field day (Alsharnouby et al, 2015). For instance, the Anti-Phishing Working Group (APWG) reported that the total number of unique phishing sites detected from Q1 through Q3 of 2015 was 630,494 (www.…”

Section: Introductionmentioning

confidence: 99%

“…These anti-phishing solutions range from users' education to software enhancements (Alsharnouby et al, 2015). While most of these anti-phishing solutions have made a significant difference in dealing with phishing, the proliferation of android/iOS mobile phones in recent times has increased attack surface for phishers (Kumar & Kumar, 2014).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Lightweight Anti-Phishing Technique for Mobile Phone

Orunsolu¹,

Alaran²,

Adebayo³

et al. 2017

AIP

View full text Add to dashboard Cite

Mobile phones have become an essential device for accessing the web. This is due to the advantages of portability, lower cost and ease. However, the adoption of mobile phones for online activities is now being challenged by myriads of cybercrimes. One of such crimes is phishing attack. In this work, a lightweight anti-phishing technique is proposed to combat phishing attacks on mobile devices. This is necessary because these mobile platforms have increased the attack surface for phishers while diminishing the effectiveness of existing countermeasures. The proposed approach uses a number of URL behavior to determine the status of a website based on frequency analysis of extracted phishing features from PhishTank. To increase the detection power of unknown pattern, a machine learning algorithm called Support Vector Machine is adopted. The results indicated that the approach is very efficient against phishing sites with negligible false negatives.

show abstract

“…Empirical studies focus on a simple "yes" or "no" response (i.e., subjects use or do not use the indicators) or some more nuanced version (e.g., how much time subjects spend looking at the security indicators) [5], [6]. One limitation of these paradigms is that correct and incorrect login decisions could be due to more than one source of knowledge or decision process.…”

Section: Introductionmentioning

confidence: 99%

Real-World Decision Making: Logging Into Secure vs. Insecure Websites

Kelley¹,

Bertenthal²

2016

Proceedings 2016 Workshop on Usable Security

View full text Add to dashboard Cite

Abstract-A novel Two-Alternative Forced Choice experiment was used to evaluate the effects of security indicators on participants' decision making when identifying potentially risky websites. Participants recruited from Amazons Mechanical Turk were instructed to visit a series of secure and insecure websites, and decide as quickly and as accurately as possible whether or not it was safe to login. Hierarchical linear regression models were used to identify the importance of the presence of security indicators, security domain knowledge, and familiarity with the presented websites to correctly differentiate between secure and insecure websites. An analysis of participants' mouse trajectories was used to assess how websites were searched before a decision was made. The likelihood to login was modulated by security domain knowledge and familiarity with websites. The mouse tracking data revealed that spoofed websites with security indicators resulted in less search on the website, especially when the browser chrome indicated extended validation. Taken together, these results suggest that participants are aware of security indicators, but their responses are modulated by multiple factors.

show abstract

Why phishing still works: User strategies for combating phishing attacks

Cited by 188 publications

References 37 publications

When Eye-Tracking Meets Cognitive Modeling: Applications to Cyber Security Systems

When Eye-Tracking Meets Cognitive Modeling: Applications to Cyber Security Systems

A Lightweight Anti-Phishing Technique for Mobile Phone

Real-World Decision Making: Logging Into Secure vs. Insecure Websites

Contact Info

Product

Resources

About