2024: Crisis Management Days Conference Proceedings
Communication and Technology (Crisis Communication, Application of New Technologies and Artificial Intelligence in Crisis Management)

Application of simulated phishing attacks for user training

PDF
  • Hrvoje Janeš,
  • Krunoslav Bilić,
  • Mario Grgić
Hrvoje Janeš
University of Applied Sciences Velika Gorica
Krunoslav Bilić
University of Applied Sciences Velika Gorica
Mario Grgić
University of Applied Sciences Velika Gorica

Published 2024-10-20

Keywords

  • Simulated phishing attacks,
  • User education,
  • User awareness

How to Cite

Janeš, H., Bilić, K., & Grgić, M. (2024). Application of simulated phishing attacks for user training. Crisis Management Days. Retrieved from https://ojs.vvg.hr/index.php/DKU/article/view/533

Copyright (c) 2024 Hrvoje Janeš, Krunoslav Bilić, Mario Grgić

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Abstract

In light of the escalating significance of today's digital era and the heightened consciousness surrounding information system security, the prevalence of threats pertaining to information and data theft, as well as phishing attacks, is on the rise. This paper seeks to outline a framework for end-user training utilizing simulated phishing attacks. The introductory segment of this paper furnishes a comprehensive overview of the threats to information system security and underscores the pivotal role of user education in preventing a majority of malicious attacks. According to data from the National CERT (an entity within the Croatian Academic and Research Network), phishing attacks account for 65.6% of security incidents (based on data from 2023). Consequently, there exists a pressing imperative for innovative educational methodologies, among which the employment of simulated phishing attacks emerges as a pivotal tool for heightening awareness regarding user and data security.

The second section of the paper outlines the research methodology, beginning with the establishment of research objectives, participant selection, and the creation of simulated phishing attacks, whether announced or unannounced simulations. Through a comprehensive examination of various aspects of conducting simulated attacks, such as scenario development, targeted user selection, and the assessment of training effectiveness, the study explores diverse approaches to evaluating training outcomes, analyzing feedback, and comparing achieved results with intended goals.

By employing both quantitative and qualitative analyses of the gathered data, this study investigates the implications of simulated phishing attacks on user awareness and security. Particular emphasis is placed on examining the outcomes derived from phishing attack simulations conducted both prior to and subsequent to user training sessions. These findings are anticipated to reveal a clear correlation in users' preparedness to identify and address genuine security incidents. Furthermore, the study explores the influence of various factors on the efficacy of the training program.

The concluding segment of this paper encapsulates the principal discoveries of the study and clarifies their significance in the realm of mitigating security incidents caused by phishing attacks. It emphasizes the imperative of continually enhancing user education and utilizing innovative educational methods, as demonstrated by simulated phishing attacks. By integrating simulated attacks into educational initiatives and corporate strategies, the potential for creating a more secure online environment and safeguarding users from potential threats becomes feasible. Finally, recommendations for further research efforts and practical applications within the domain of simulated phishing attacks are outlined, with the overarching aim of continuously improving information system security.

PDF

References

  1. Alabdan, R. (2020). Phishing attacks survey: Types, vectors, and technical approaches. Future internet 12(10), 168. https://doi.org/10.3390/fi12100168
  2. Alsharnouby, M., Alaca, F. & Chiasson, S. (2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82, 69-82. https://doi.org/10.1016/j.ijhcs.2015.05.005
  3. Andric, J., Oreski, D., & Kisasondi, T. (2016, May 1). Analysis of phishing attacks against students. https://doi.org/10.1109/mipro.2016.7522363
  4. Babbie, E. (2013). The Practice of Social Research (13th ed.). Wadsworth, Cengage Learning.
  5. CERT.hr. (2024, April). Statistika računalno-sigurnosnih incidenata - CERT.hr. CERT.hr -. https://www.cert.hr/statistika/
  6. Chatchalermpun, S., & Daengsi, T. (2021). Improving cybersecurity awareness using phishing attack simulation. IOP Conference Series Materials Science and Engineering, 1088(1), 012015. https://doi.org/10.1088/1757-899x/1088/1/012015
  7. Chiew, K. L., Yong, K. S. C., & Tan, C. L. (2018). A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems with Applications, 106, 1-20. https://doi.org/10.1016/j.eswa.2018.03.050
  8. Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81.
  9. Jakobsson, M., & Ratkiewicz, J. (2006). Designing ethical phishing experiments. ROT13. https://doi.org/10.1145/1135777.1135853
  10. Jakobsson, M. & Myers, S. (2007). Phishing and countermeasures: Understanding the increasing problem of electronic identity theft. John Wiley & Sons.
  11. Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F. & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), 1–31. https://doi.org/10.1145/1754393.1754396
  12. Puhakainen, N., & Siponen, N. (2010). Improving Employees’ compliance through Information Systems Security Training: An Action Research study. MIS Quarterly, 34(4), 757. https://doi.org/10.2307/25750704
  13. Purkait, S. (2012). Phishing counter measures and their effectiveness – literature review. Information Management & Computer Security, 20(5), 382–420. https://doi.org/10.1108/09685221211286548
  14. Resnik, D. B. (2018). The Ethics of Research with Human Subjects: Protecting People, Advancing Science, Promoting Trust. Springer.
  15. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F. and Downs, J. (2010) Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 373-382. https://doi.org/10.1145/1753326.1753383
  16. Sieber, J. E. (1992). Planning ethically responsible research: A guide for students and internal review boards. Sage Publications, Inc.
  17. Steyn, T., Kruger, H. A., & Drevin, L. (2007). Identity Theft — Empirical evidence from a Phishing Exercise. In IFIP International Federation for Information Processing/IFIP (pp. 193–203). https://doi.org/10.1007/978-0-387-72367-9_17
  18. What is Spear-phishing? Defining and Differentiating Spear-phishing from Phishing. (2023, February). Digital Guardian. https://www.digitalguardian.com/blog/what-spear-phishing-defining-and-differentiating-spear-phishing-phishing