2024: Crisis Management Days Book of Abstracts
Security and Protection (National and International Security, Corporate and Information Security, Disaster Risk Reduction)

Application of simulated phishing attacks for user training

Hrvoje Janeš
University of Applied Sciences Velika Gorica
Krunoslav Bilić
University of Applied Sciences Velika Gorica
Mario Grgić
University of Applied Sciences Velika Gorica

Published 2024-05-20

Keywords

  • Simulated phishing attacks,
  • User education,
  • User awareness

Abstract

In light of the escalating significance of today's digital era and the heightened consciousness surrounding information system security, the prevalence of threats pertaining to information and data theft, as well as phishing attacks, is on the rise. This paper seeks to outline a framework for end-user training utilizing simulated phishing attacks. The introductory segment of this paper furnishes a comprehensive overview of the threats to information system security and underscores the pivotal role of user education in preventing a majority of malicious attacks. According to data from the National CERT (an entity within the Croatian Academic and Research Network), phishing attacks account for 65.6% of security incidents (based on data from 2023). Consequently, there exists a pressing imperative for innovative educational methodologies, among which the employment of simulated phishing attacks emerges as a pivotal tool for heightening awareness regarding user and data security.

The second section of the paper outlines the research methodology, beginning with the establishment of research objectives, participant selection, and the creation of simulated phishing attacks, whether announced or unannounced simulations. Through a comprehensive examination of various aspects of conducting simulated attacks, such as scenario development, targeted user selection, and the assessment of training effectiveness, the study explores diverse approaches to evaluating training outcomes, analyzing feedback, and comparing achieved results with intended goals.

By employing both quantitative and qualitative analyses of the gathered data, this study investigates the implications of simulated phishing attacks on user awareness and security. Particular emphasis is placed on examining the outcomes derived from phishing attack simulations conducted both prior to and subsequent to user training sessions. These findings are anticipated to reveal a clear correlation in users' preparedness to identify and address genuine security incidents. Furthermore, the study explores the influence of various factors on the efficacy of the training program.

The concluding segment of this paper encapsulates the principal discoveries of the study and clarifies their significance in the realm of mitigating security incidents caused by phishing attacks. It emphasizes the imperative of continually enhancing user education and utilizing innovative educational methods, as demonstrated by simulated phishing attacks. By integrating simulated attacks into educational initiatives and corporate strategies, the potential for creating a more secure online environment and safeguarding users from potential threats becomes feasible. Finally, recommendations for further research efforts and practical applications within the domain of simulated phishing attacks are outlined, with the overarching aim of continuously improving information system security.

References

  1. Alabdan, Rana. "Phishing attacks survey: Types, vectors, and technical approaches." Future internet 12.10 (2020): 168.
  2. Chiew, K. L., Yong, K. S. C., & Tan, C. L. (2018). A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems with Applications, 106, 1-20.
  3. Nacionalni CERT (2024, April) STATISTIKA RAČUNALNO-SIGURNOSNIH INCIDENATA. Retrieved from https://www.cert.hr/statistika/
  4. Nacionalni CERT (2024, April) Izvještaj za 2023 godinu https://www.cert.hr/wp-content/uploads/2024/03/Godisnji-izvjestaj-Nacionalnog-CERT-a-za-2023.-godinu.pdf
  5. Nena Giandomenico (2023, February) What is Spear-phishing? Defining and Differentiating Spear-phishing from Phishing https://www.digitalguardian.com/blog/what-is-spear-phishing-defining-and-differentiating-spear-phishing-and-phishing
  6. Mikšić Igor (2021) Analiza kibernetičkih napada temeljenih na metodama socijalnog inženjeringa (Diplomski rad) https://urn.nsk.hr/urn:nbn:hr:119:737968