Crisis Management Days

Application of simulated phishing attacks for user training

Hrvoje Janeš

University of Applied Sciences Velika Gorica

Krunoslav Bilić

University of Applied Sciences Velika Gorica

Mario Grgić

University of Applied Sciences Velika Gorica

Keywords: Simulated phishing attacks, User education, User awareness

---

Abstract

In light of the escalating significance of today's digital era and the heightened consciousness surrounding information system security, the prevalence of threats pertaining to information and data theft, as well as phishing attacks, is on the rise. This paper seeks to outline a framework for end-user training utilizing simulated phishing attacks. The introductory segment of this paper furnishes a comprehensive overview of the threats to information system security and underscores the pivotal role of user education in preventing a majority of malicious attacks. According to data from the National CERT (an entity within the Croatian Academic and Research Network), phishing attacks account for 65.6% of security incidents (based on data from 2023). Consequently, there exists a pressing imperative for innovative educational methodologies, among which the employment of simulated phishing attacks emerges as a pivotal tool for heightening awareness regarding user and data security.

The second section of the paper outlines the research methodology, beginning with the establishment of research objectives, participant selection, and the creation of simulated phishing attacks, whether announced or unannounced simulations. Through a comprehensive examination of various aspects of conducting simulated attacks, such as scenario development, targeted user selection, and the assessment of training effectiveness, the study explores diverse approaches to evaluating training outcomes, analyzing feedback, and comparing achieved results with intended goals.

By employing both quantitative and qualitative analyses of the gathered data, this study investigates the implications of simulated phishing attacks on user awareness and security. Particular emphasis is placed on examining the outcomes derived from phishing attack simulations conducted both prior to and subsequent to user training sessions. These findings are anticipated to reveal a clear correlation in users' preparedness to identify and address genuine security incidents. Furthermore, the study explores the influence of various factors on the efficacy of the training program.

The concluding segment of this paper encapsulates the principal discoveries of the study and clarifies their significance in the realm of mitigating security incidents caused by phishing attacks. It emphasizes the imperative of continually enhancing user education and utilizing innovative educational methods, as demonstrated by simulated phishing attacks. By integrating simulated attacks into educational initiatives and corporate strategies, the potential for creating a more secure online environment and safeguarding users from potential threats becomes feasible. Finally, recommendations for further research efforts and practical applications within the domain of simulated phishing attacks are outlined, with the overarching aim of continuously improving information system security.

---

References

Alabdan, R. (2020). Phishing attacks survey: Types, vectors, and technical approaches. Future internet 12(10), 168. https://doi.org/10.3390/fi12100168

Alsharnouby, M., Alaca, F. & Chiasson, S. (2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82, 69-82. https://doi.org/10.1016/j.ijhcs.2015.05.005

Andric, J., Oreski, D., & Kisasondi, T. (2016, May 1). Analysis of phishing attacks against students. https://doi.org/10.1109/mipro.2016.7522363

Babbie, E. (2013). The Practice of Social Research (13th ed.). Wadsworth, Cengage Learning.

CERT.hr. (2024, April). Statistika računalno-sigurnosnih incidenata - CERT.hr. CERT.hr -. https://www.cert.hr/statistika/

Chatchalermpun, S., & Daengsi, T. (2021). Improving cybersecurity awareness using phishing attack simulation. IOP Conference Series Materials Science and Engineering, 1088(1), 012015. https://doi.org/10.1088/1757-899x/1088/1/012015

Chiew, K. L., Yong, K. S. C., & Tan, C. L. (2018). A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems with Applications, 106, 1-20. https://doi.org/10.1016/j.eswa.2018.03.050

Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81.

Jakobsson, M., & Ratkiewicz, J. (2006). Designing ethical phishing experiments. ROT13. https://doi.org/10.1145/1135777.1135853

Jakobsson, M. & Myers, S. (2007). Phishing and countermeasures: Understanding the increasing problem of electronic identity theft. John Wiley & Sons.

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F. & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), 1–31. https://doi.org/10.1145/1754393.1754396

Puhakainen, N., & Siponen, N. (2010). Improving Employees’ compliance through Information Systems Security Training: An Action Research study. MIS Quarterly, 34(4), 757. https://doi.org/10.2307/25750704

Purkait, S. (2012). Phishing counter measures and their effectiveness – literature review. Information Management & Computer Security, 20(5), 382–420. https://doi.org/10.1108/09685221211286548

Resnik, D. B. (2018). The Ethics of Research with Human Subjects: Protecting People, Advancing Science, Promoting Trust. Springer.

Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F. and Downs, J. (2010) Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 373-382. https://doi.org/10.1145/1753326.1753383

Sieber, J. E. (1992). Planning ethically responsible research: A guide for students and internal review boards. Sage Publications, Inc.

Steyn, T., Kruger, H. A., & Drevin, L. (2007). Identity Theft — Empirical evidence from a Phishing Exercise. In IFIP International Federation for Information Processing/IFIP (pp. 193–203). https://doi.org/10.1007/978-0-387-72367-9_17

What is Spear-phishing? Defining and Differentiating Spear-phishing from Phishing. (2023, February). Digital Guardian. https://www.digitalguardian.com/blog/what-spear-phishing-defining-and-differentiating-spear-phishing-phishing