posted on 2007-01-01, 00:00authored byPonnurangam Kumaraguru, Yong Rhee, Steve Sheng, Sharique Hasan, Alessandro Acquisti, Lorrie F Cranor, Jason Hong
Educational materials designed to teach users not to fall for
phishing attacks are widely available but are often ignored by
users. In this paper, we extend an embedded training methodology
using learning science principles in which phishing education is
made part of a primary task for users. The goal is to motivate
users to pay attention to the training materials. In embedded
training, users are sent simulated phishing attacks and trained after
they fall for the attacks. Prior studies tested users immediately
after training and demonstrated that embedded training improved
users’ ability to identify phishing emails and websites. In the
present study, we tested users to determine how well they retained
knowledge gained through embedded training and how well they
transferred this knowledge to identify other types of phishing
emails. We also compared the effectiveness of the same training
materials delivered via embedded training and delivered as regular
email messages. In our experiments, we found that: (a) users learn
more effectively when the training materials are presented after
users fall for the attack (embedded) than when the same training
materials are sent by email (non-embedded); (b) users retain and
transfer more knowledge after embedded training than after nonembedded
training; and (c) users with higher Cognitive Reflection
Test (CRT) scores are more likely than users with lower CRT
scores to click on the links in the phishing emails from companies
with which they have no account.