This includes findings regarding those types of URLs that are most difficult to decide on as well as ideas to further improve NoPhish. The focus of this paper is on the description and the evaluation of both studies. The outcomes of the studies show that NoPhish helps users make better decisions with regard to the legitimacy of URLs immediately after playing NoPhish as well as after some time has passed. Therefore, we conducted a lab study as well as a retention study (five months later). It is crucial to evaluate NoPhish with respect to its effectiveness and the users' knowledge retention. For this reason, we developed an Android app, a game called -NoPhish-, which educates the user in the detection of phishing URLs. We believe user education about the dangers of the Internet is a further key strategy to combat phishing. Previous approaches to counter phishing do not draw on a crucial factor to combat the threat - the users themselves. Phishing is a prevalent issue of today's Internet. We detail potential improvements to ticketing systems and reflect on ITIL, a common framework of best practice in IT management. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering the effective application of mitigations and the potential for reflection. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and tactic knowledge. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, whom they escalate them to, and how teams who manage protections such as the firewalls and mail relays use these reports to improve defenses. While automated measures provide some protection, they cannot completely protect an organization. Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. We conclude with a discussion of how the USEC community currently supports researchers in overcoming these challenges and places to potentially improve support. We identify the challenges faced by researchers in this area such as the high costs of conducting field studies when evaluating hardware prototypes, the scarcity of open-source material, and the resistance to novel prototypes. We discussed their experiences conducting USEC research that involves prototyping, opinions on the challenges involved, and the ecological validity issues surrounding current evaluation approaches. Our interviewees range from professors to senior PhD candidates, and researchers from industry. We report on twelve interviews with established and nascent USEC researchers who prototype security and privacy-protecting systems and have published work in top-tier venues. Iterative design, implementation, and evaluation of prototype systems is a common approach in Human-Computer Interaction (HCI) and Usable Privacy and Security (USEC) however, research involving physical prototypes can be particularly challenging. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme's deployment. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures-administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users' awareness and knowledge are an open question. Security awareness and education programmes are rolled out in more and more organisations.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |