Presentation is loading. Please wait.

Presentation is loading. Please wait.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

Published byKelly Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to."— Presentation transcript:

1 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to Fall for Phish S. Sheng, B. Maginien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, E. Nunge

2 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 2

3 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 3 Phishing email Subject: eBay: Urgent Notification From Billing Department

4 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 4 We regret to inform you that you eBay account could be suspended if you don’t update your account information.

5 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 5 https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=veri fy&co_partnerid=2&sidteid=0

6

7 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 7 What is phishing? Social engineering attack Misrepresents electronic identity Tricks individuals into revealing personal credentials Defrauds users Financial Services Technology Consortium. Understanding and countering the phishing threat: A financial service industry perspective. 2005.

8 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 8 Countermeasures for phishing Silently eliminating the threat Regulatory & policy solutions Email filtering (SpamAssasin) Warning users about the threat Toolbars (SpoofGuard, TrustBar) Training users not to fall for attacks

9 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 9 Design Rationale Security is a secondary task Learning by doing Fun and engaging Better strategies

10 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 10 Online game http://cups.cs.cmu.edu/antiphishing_phil/ Teaches people how to protect themselves from phishing attacks Identify phishing URLs Use web browser cues Find legitimate sites with search engines Anti-Phishing Phil

11

12

13

14

15

16

17 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 17 More about the game Four rounds Two minutes in each round Increasing difficulty Eight URL “worms” in each round Four phishing and four legitimate URLs Users must correctly identify 6 out of 8 URLs to advance In-between round tutorials

18 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 18 User Study Test participants’ ability to identify phishing web sites before and after training 10 URLs before training, 10 after, randomized Up to 15 minutes of training Training conditions: Web-based phishing education Tutorial Game 14 participants in each condition Screened out security experts Younger, college students

19

20

21 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 21 Results No significant difference in false negatives among the three groups Game group had fewest false positives

22 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 22 The effects Improvement could be due to Learning to distinguish legitimate from phish Raising suspicion about all web sites Learning is better than raising suspicion Fewer false positives Will help people more in the long run

23 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 23 Conclusions Used signal detection theory to measure effects Existing training materials increased suspicion with little learning Game did not raise suspicion but resulted in players learning to distinguish legitimate from phish  In some cases a little more suspicion would have helped Game condition performed best overall!

24 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 24 Acknowledgements Members of Supporting Trust Decision research group Members of CUPS lab

25 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ Play Anti-Phishing Phil: http://cups.cs.cmu.edu/antiphishing_phil/

26 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 26 Falling for Phishing

27 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 27 Misidentifying Legitimate Sites

28 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ You can add your name and/or URL to the footer if you want. If your figures overlap the CUPS logo, then suppress the background images 28 Lessons Learned Pilot test Users be able to identify phishing But they misidentify real ones Users tend to get the specifics, but not the underlying concepts Conceptual – procedural knowledge User didn’t ask father for help too much

Download ppt "C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to."

Similar presentations

PhishZoo: Detecting Phishing Websites By Looking at Them

PhishZoo: Detecting Phishing Websites By Looking at Them
They’re Computer Savvy, Right? Well, Maybe…

They’re Computer Savvy, Right? Well, Maybe…
“I regretted the minute I pressed share”: A Qualitative Study of Regrets on Facebook Presenter: Arvie Carpio Y. Wang, S. Komanduri, P.G. Leon, G. Norcie,

“I regretted the minute I pressed share”: A Qualitative Study of Regrets on Facebook Presenter: Arvie Carpio Y. Wang, S. Komanduri, P.G. Leon, G. Norcie,
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.

CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.
Johnson Logistics Solutions Office of Systems and Information Technology.

Johnson Logistics Solutions Office of Systems and Information Technology.
C MU U sable P rivacy and S ecurity Laboratory Sensor-Based Interactions Kami Vaniea.

C MU U sable P rivacy and S ecurity Laboratory Sensor-Based Interactions Kami Vaniea.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)

The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Search Engines and Social Networks October.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Search Engines and Social Networks October.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.

CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.
C MU U sable P rivacy and S ecurity Laboratory Philosophical definitions of privacy Lorrie Faith Cranor October 19, 2007.

C MU U sable P rivacy and S ecurity Laboratory Philosophical definitions of privacy Lorrie Faith Cranor October 19, 2007.
CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.

CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.
Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.

Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.
C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.

C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.

Similar presentations

Ads by Google