Anti-Phishing Awareness Delivery Methods
Phishing attacks are increasingly exploited by cybercriminals, they become more sophisticated and evade detection even by advanced technical countermeasures. With cybercriminals resorting to more sophisticated phishing techniques, strategies, and different channels such as social networks, phishing is becoming a hard problem to solve. Therefore, the main objective for any anti-phishing solution is to minimize phishing success and its consequences through complementary means to advanced technical countermeasures. Specifically, phishing threats cannot be controlled by technical controls alone, thus it is imperative to complement cybersecurity programs with cybersecurity awareness programs to successfully fight against phishing attacks. This paper provides a review of the delivery methods of cybersecurity training programs used to enhance personnel security awareness and behavior in terms of phishing threats. Although there are a wide variety of educational intervention methods against phishing, the differences between the cybersecurity awareness delivery methods are not always clear. To this end, we present a review of the most common methods of workforce cybersecurity training methods in order for them to be able to protect themselves from phishing threats.
Keywords:phishing, anti-phishing awareness, phishing attack, awareness delivery methods, cybersecurity threats
APWG, Phishing Activity Trends Report, 1st Quarter. Anti-Phishing Working Group, 2020.
J. Abawajy, "User preference of cyber security awareness delivery methods," Behaviour & Information Technology, vol. 33, no. 3, pp. 237–248, Mar. 2014, https://doi.org/10.1080/0144929X.2012.708787.
"2021 Report on Phishing Attacks - State of the Phish," Proofpoint, Mar. 30, 2021. https://www.proofpoint.com/us/resources/threat-reports/state-of-phish (accessed Nov. 23, 2021).
"Facebook Phishing: Why Social Media is a New Phishers’ Favorite," Vade Secure. https://www.vadesecure.com/en/blog/facebook-phishing-is-exploding (accessed Nov. 23, 2021).
E. D. Frauenstein and S. Flowerday, "Susceptibility to phishing on social network sites: A personality information processing model," Computers & Security, vol. 94, Jul. 2020, Art. no. 101862, https://doi.org/10.1016/j.cose.2020.101862.
D. Goel and A. K. Jain, "Mobile phishing attacks and defence mechanisms: State of art and open research challenges," Computers & Security, vol. 73, pp. 519–544, Mar. 2018, https://doi.org/10.1016/j.cose.2017.12.006.
2021 Report on Phishing Attacks - State of the Phish. Proofpoint, 2021.
M. Tischer et al., "Users Really Do Plug in USB Drives They Find," in IEEE Symposium on Security and Privacy, San Jose, CA, USA, May 2016, pp. 306–319, https://doi.org/10.1109/SP.2016.26.
S. Nasiri, M. T. Sharabian, and M. Aajami, "Using Combined One-Time Password for Prevention of Phishing Attacks," Engineering, Technology & Applied Science Research, vol. 7, no. 6, pp. 2328–2333, Dec. 2017, https://doi.org/10.48084/etasr.1510.
A. Al-Marghilani, "Comprehensive Analysis of IoT Malware Evasion Techniques," Engineering, Technology & Applied Science Research, vol. 11, no. 4, pp. 7495–7500, Aug. 2021, https://doi.org/10.48084/etasr.4296.
D. K. Singh and M. Shrivastava, "Evolutionary Algorithm-based Feature Selection for an Intrusion Detection System," Engineering, Technology & Applied Science Research, vol. 11, no. 3, pp. 7130–7134, Jun. 2021, https://doi.org/10.48084/etasr.4149.
M. Alsharnouby, F. Alaca, and S. Chiasson, "Why phishing still works: User strategies for combating phishing attacks," International Journal of Human-Computer Studies, vol. 82, pp. 69–82, Oct. 2015, https://doi.org/10.1016/j.ijhcs.2015.05.005.
R. M. Mohammad, F. Thabtah, and L. McCluskey, "Tutorial and critical analysis of phishing websites methods," Computer Science Review, vol. 17, pp. 1–24, Aug. 2015, https://doi.org/10.1016/j.cosrev.2015.04.001.
J. S. Tharani and N. A. G. Arachchilage, "Understanding phishers’ strategies of mimicking uniform resource locators to leverage phishing attacks: A machine learning approach," Security and Privacy, vol. 3, no. 5, 2020, Art. no. e120, https://doi.org/10.1002/spy2.120.
Z. Benenson, "Exploiting curiosity and context: How to make people click on a dangerous link despite their security awareness," presented at the Black Hat USA 2016, 2016.
P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, "Teaching Johnny not to fall for phish," ACM Transactions on Internet Technology, vol. 10, no. 2, p. 7:1-7:31, Jun. 2010, https://doi.org/10.1145/1754393.1754396.
J. Hong, "The state of phishing attacks," Communications of the ACM, vol. 55, no. 1, pp. 74–81, Jan. 2012, https://doi.org/10.1145/2063176.2063197.
K. RaniSahu and J. Dubey, "A Survey on Phishing Attacks," International Journal of Computer Applications, vol. 88, pp. 42–45, Feb. 2014, https://doi.org/10.5120/15392-4007.
P. Kim, J. V. Homan, and R. L. Metzer, "How long do employees remember information security training programs? A study of knowledge acquisition and retention," Issues in Information Systems, vol. 17, no. 4, pp. 197–207, 2016.
B. B. Gupta, A. Tewari, A. K. Jain, and D. P. Agrawal, "Fighting against phishing attacks: state of the art and future challenges," Neural Computing and Applications, vol. 28, no. 12, pp. 3629–3654, Dec. 2017, https://doi.org/10.1007/s00521-016-2275-y.
"The Art of Deception in Social Media Phishing." https://www.vadesecure.com/en/blog/the-art-of-deception-in-social-media-phishing (accessed Nov. 23, 2021).
I. Qabajeh, F. Thabtah, and F. Chiclana, "A recent review of conventional vs. automated cybersecurity anti-phishing techniques," Computer Science Review, vol. 29, pp. 44–55, Aug. 2018, https://doi.org/10.1016/j.cosrev.2018.05.003.
D. D. Caputo, S. L. Pfleeger, J. D. Freeman, and M. E. Johnson, "Going Spear Phishing: Exploring Embedded Training and Awareness," IEEE Security Privacy, vol. 12, no. 1, pp. 28–38, Jan. 2014, https://doi.org/10.1109/MSP.2013.106.
E. M. Redmiles, S. Kross, and M. L. Mazurek, "How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior," in ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, Oct. 2016, pp. 666–677, https://doi.org/10.1145/2976749.2978307.
E. M. Redmiles, A. R. Malone, and M. L. Mazurek, "I Think They’re Trying to Tell Me Something: Advice Sources and Selection for Digital Security," in IEEE Symposium on Security and Privacy, San Jose, CA, USA, May 2016, pp. 272–288, https://doi.org/10.1109/SP.2016.24.
K. Greene, M. Steves, and M. Theofanos, "No Phishing beyond This Point," Computer, vol. 51, no. 6, pp. 86–89, Jun. 2018, https://doi.org/10.1109/MC.2018.2701632.
Z. A. Wen, Z. Lin, R. Chen, and E. Andersen, "What.Hack: Engaging Anti-Phishing Training Through a Role-playing Phishing Simulation Game," in CHI Conference on Human Factors in Computing Systems, Scotland, UK, May 2019, pp. 1–12, https://doi.org/10.1145/3290605.3300338.
K. F. Tschakert and S. Ngamsuriyaroj, "Effectiveness of and user preferences for security awareness training methodologies," Heliyon, vol. 5, no. 6, Jun. 2019, Art. no. e02010, https://doi.org/10.1016/j.heliyon.2019.e02010.
N. A. G. Arachchilage, S. Love, and K. Beznosov, "Phishing threat avoidance behaviour: An empirical investigation," Computers in Human Behavior, vol. 60, pp. 185–197, Jul. 2016, https://doi.org/10.1016/j.chb.2016.02.065.
S. Stockhardt et al., "Teaching Phishing-Security: Which Way is Best?," in International Conference on ICT Systems Security and Privacy Protection, Ghent, Belgium, Jun. 2016, pp. 135–149.
R. Wash and M. M. Cooper, "Who Provides Phishing Training? Facts, Stories, and People Like Me," in CHI Conference on Human Factors in Computing Systems, Montreal, QC, Canada, Apr. 2018, pp. 1–12, https://doi.org/10.1145/3173574.3174066.
J. Marsden et al., "Facts and Stories in Phishing Training: A Replication and Extension," in Conference on Human Factors in Computing Systems, New York, NY, USA, Apr. 2020, pp. 1–6, https://doi.org/10.1145/3334480.3381435.
Barracuda Networks Inc, "Click Thinking Content," Barracuda Campus. https://campus.barracuda.com/product/phishline/doc/79463828/click-thinking-content/ (accessed Nov. 23, 2021).
How to Cite
MetricsAbstract Views: 145
PDF Downloads: 102
Copyright (c) 2021 A. Darem
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.