Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations

Jackie Scott, Yair Levy, Wei Li, Ajoy Kumar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Although there have been numerous significant technological advancements in the last several decades, there continues to be a real threat as it pertains to social engineering, especially phishing, spear-phishing, and Business Email Compromise (BEC). While the technologies to protect end-users have gotten better, the ‘human factor’ in cybersecurity is the main penetration surface. These three phishing methods are used by attackers to infiltrate corporate networks and manipulate end-users, especially through business email. Our research study was aimed at assessing several phishing mitigation methods, including phishing training and campaign methods, as well as any human characteristics that enable a successful cyberattack through business email. Following expert panel validation for the experimental procedure, a pilot study with 172 users and then a full study with 552 users were conducted to collect six actual end-users’ negative response actions to phishing campaigns conducted with traditional Commercial-Off-The-Shelf (COTS) product (KnowBe4) and a red team. Users were randomly assigned to three groups: no training; traditional training; and longitudinal customized training with 1,104 data points collected. While the phishing method was significant, our results indicate that current training methods appear to provide little to no added value vs. no training at all.

Original languageEnglish
Title of host publicationProceedings of the 10th International Conference on Information Systems Security and Privacy
EditorsGabriele Lenzini, Paolo Mori, Steven Furnell
PublisherScience and Technology Publications, Lda
Pages643-651
Number of pages9
ISBN (Print)9789897586835
DOIs
StatePublished - 2024
Event10th International Conference on Information Systems Security and Privacy, ICISSP 2024 - Rome, Italy
Duration: Feb 26 2024Feb 28 2024

Publication series

NameInternational Conference on Information Systems Security and Privacy
Volume1
ISSN (Electronic)2184-4356

Conference

Conference10th International Conference on Information Systems Security and Privacy, ICISSP 2024
Country/TerritoryItaly
CityRome
Period2/26/242/28/24

ASJC Scopus Subject Areas

  • Computer Science (miscellaneous)
  • Information Systems

Keywords

  • and Awareness (SETA)
  • Business Email Compromise (BEC)
  • Phishing
  • Phishing Campaigns
  • Phishing Training
  • Red Team
  • Security Education
  • Spear-Phishing
  • Training

Cite this