Phishing threat avoidance behaviour: An empirical investigation

Phishing is an online identity theft that aims to steal sensitive information such as username, password and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Our mobile game design aimed to enhance the users' avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework though the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.     

A game design framework for avoiding phishing attacks

Game based education is becoming more and more popular. This is because game based education provides an opportunity for learning in a natural environment. Phishing is an online identity theft, which attempts to steal sensitive information such as username, password, and online banking details from its victims. To prevent this, phishing awareness needs to be considered. This research aims to develop a game design framework, which enhances user avoidance behaviour through motivation to protect users from phishing attacks. In order to do this, a theoretical model derived from Technology Thread Avoidance Theory (TTAT) was developed and used in the game design framework (Liang & Xue, 2010). A survey study was undertaken with 150 regular computer users to elicit feedback through a questionnaire. The study findings revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity, and perceived susceptibility elements should be addressed in the game design framework for computer users to avoid phishing attacks. Furthermore, we argue that this game design framework can be used not only for preventing phishing attacks but also for preventing other malicious IT attacks such as viruses, malware, botnets and spyware.     

A recent review of conventional vs. automated cybersecurity anti-phishing techniques

In the era of electronic and mobile commerce, massive numbers of financial transactions are conducted online on daily basis, which created potential fraudulent opportunities. A common fraudulent activity that involves creating a replica of a trustful website to deceive users and illegally obtain their credentials is website phishing. Website phishing is a serious online fraud, costing banks, online users, governments, and other organisations severe financial damages. One conventional approach to combat phishing is to raise awareness and educate novice users on the different tactics utilised by phishers by conducting periodic training or workshops. However, this approach has been criticised of being not cost effective as phishing tactics are constantly changing besides it may require high operational cost. Another anti-phishing approach is to legislate or amend existing cyber security laws that persecute online fraudsters without minimising its severity. A more promising anti-phishing approach is to prevent phishing attacks using intelligent machine learning (ML) technology. Using this technology, a classification system is integrated in the browser in which it will detect phishing activities and communicate these with the end user. This paper reviews and critically analyses legal, training, educational and intelligent anti-phishing approaches. More importantly, ways to combat phishing by intelligent and conventional are highlighted, besides revealing these approaches differences, similarities and positive and negative aspects from the user and performance prospective. Different stakeholders such as computer security experts, researchers in web security as well as business owners may likely benefit from this review on website phishing.     

It won’t happen to me: Promoting secure behaviour among internet users

Fraudulent activity on the Internet, in particular the practice known as ‘Phishing’, is on the increase. Although a number of technology focussed counter measures have been explored user behaviour remains fundamental to increased online security. Encouraging users to engage in secure online behaviour is difficult with a number of different barriers to change. Guided by a model adapted from health psychology this paper reports on a study designed to encourage secure behaviour online. The study aimed to investigate the effects of education via a training program and the effects of risk level manipulation on subsequent self-reported behaviour online. The training program ‘Anti-Phishing Phil’ informed users of the common types of phishing threats and how to identify them whilst the risk level manipulation randomly allocated participants to either high risk or low risk of becoming a victim of online fraud. Sixty-four participants took part in the study, which comprised of 9 males and 55 females with an age range of 18–43 years. Participants were randomly allocated to one of four experimental groups. High threat information and/or the provision of phishing education were expected to increase self-reports of secure behaviour. Secure behaviour was measured at three stages, a baseline measure stage, an intention measure stage, and a 7-day follow-up measure stage. The results showed that offering a seemingly tailored risk message increased users’ intentions to act in a secure manner online regardless of whether the risk message indicated they were at high or low risk of fraud. There was no effect of the training programme on secure behaviour in general. The findings are discussed in relation to the model of behaviour change, information provision and the transferability of training.     

The influence of computer self-efficacy,metacognitive self-regulation and self-esteem on student engagement in online learning programs: Evidence from the virtual world of Second Life

While the widespread acceptance of social virtual words is being increased in the last years, little are known about how students’ personal factors can affect their engagement in online learning courses. The current study proposed and empirically examined a conceptual model that aimed to fill this gap. The main purpose is to present an extensive empirical data of 305 novice or expert students (153 graduates and 152 postgraduates) who enrolled in online courses at university level which were held in Second Life. On this occasion it was tried to be investigated, measured and finally verified the effects of computer self-efficacy, metacognitive self-regulation and self-esteem that can predict the students’ engagement as an overall multidimensional construct of factors (cognitive, emotional and behavioral). The results from the three-step hierarchical regression analysis revealed that computer self-efficacy, metacognitive self-regulation, and self-esteem in online courses were not only positively correlated with student’s cognitive and emotional engagement factors, but were also negatively correlated with behavioral factors. Educational implications from these results can provide a more expedient and meritorious instructional quality format aimed at reinforcing users’ engagement in Second Life for sequencing and pacing future-driven online courses.     

Intelligent explanation generation system for phishing webpages by employing an inference system

Phishing is a fraudulent scheme to steal a user’s personal and confidential information by masking as a trustworthy entity in the electronic commerce. Phishers lure online users to visit their fake webpages and capture the user’s sensitive financial information. The current anti-phishing technique focuses on determining the legitimacy of the webpages that the user visits, and it alerts users with a phishing label when a webpage is found to have suspicious activity. Most of the times, however, these warnings are ignored by the users as there is no significant information present in the alerts except for the phishing label. The method proposed in this paper addresses the aforementioned lacunae by generating a coherent and complete explanation in the natural language text for the anti-phishing system’s decision. The explanation includes the phishing label along with information to establish why such a decision has been taken. This would, in turn, contribute to the user’s enhanced understanding of the threat and also strengthens the user’s trust in the system. It is quite evident from the pilot evaluation, which involved 50 users, that the proposed methodology significantly improves the user’s understanding of the phishing label and strengthens their trust in the system.     

网络钓鱼分析与防范

随着互联网应用在我国的飞速发展,网络钓鱼的数量也在迅速增加,给我国的互联网用户和企业造成了极大的经济损失,严重阻碍了在线金融、电子商务应用的健康发展.面对网络钓鱼的日益肆虐,仅靠增强网民的主动防范意识来避免"网络钓鱼"是远远不够的.在分析网络钓鱼欺骗伎俩和破解技巧的基础上,着重对互联网应用企业提出了几条建议,以加强其对...     

一种防范钓鱼网站的方法

网络钓鱼是在线身份窃取的一种。近年来,网络钓鱼成为了在线身份窃取的主流。要防止网络钓鱼,最重要的是让用户能够识别网站的真伪。本文提出了一种让用户能够有效地识别网站真伪的技术:当用户需要辨别网站真伪时,先输入一个私数,上传到服务器;然后,服务器返回一组与此私数相关的特有的防钓码,用户看到这组防钓码,便知网站真假。由于防钓码因由户给出的私数而异,钓鱼者很难伪造,运用此法可有效的防范钓鱼网站。     

The Role of Instructional Design in Persuasion: A Comics Approach for Improving Cybersecurity

Abstract

Although computer security technologies are the first line of defense to secure users, their success is dependent on individuals’ behavior. It is therefore necessary to persuade users to practice good computer security. This interview analysis of users’ conceptualization of security password guessing attacks, antivirus protection, and mobile online privacy shows that poor understanding of security threats influences users’ motivation and ability to practice safe behaviors. An online interactive comic series called Secure Comics was designed and developed based on instructional design principles to address this problem. An eye-tracking experiment suggests that the graphical and interactive components of the comics direct users’ attention and facilitate comprehension of the information. In the evaluations of Secure Comics, results from several user studies show that the comics improve understanding and motivate positive changes in security management behavior. The implication of the findings to better understand the role of instructional design and persuasion in education technology are discussed.     

Predicting phishing websites based on self-structuring neural network

Internet has become an essential component of our everyday social and financial activities. Nevertheless, internet users may be vulnerable to different types of web threats, which may cause financial damages, identity theft, loss of private information, brand reputation damage and loss of customer’s confidence in e-commerce and online banking. Phishing is considered as a form of web threats that is defined as the art of impersonating a website of an honest enterprise aiming to obtain confidential information such as usernames, passwords and social security number. So far, there is no single solution that can capture every phishing attack. In this article, we proposed an intelligent model for predicting phishing attacks based on artificial neural network particularly self-structuring neural networks. Phishing is a continuous problem where features significant in determining the type of web pages are constantly changing. Thus, we need to constantly improve the network structure in order to cope with these changes. Our model solves this problem by automating the process of structuring the network and shows high acceptance for noisy data, fault tolerance and high prediction accuracy. Several experiments were conducted in our research, and the number of epochs differs in each experiment. From the results, we find that all produced structures have high generalization ability.     

Why do you return the favor in online knowledge communities? A study of the motivations of reciprocity

Online knowledge community administrators are attempting to encourage their users to contribute knowledge in order to provide value to members and maintain sustainability. A large number of online knowledge communities fail mainly due to the reluctance of users to return the favor and share knowledge. Many studies on this topic have highlighted the importance of reciprocity for knowledge contribution which forms a virtuous feedback loop for the community sustainability. However, it is unclear how reciprocity is developed and what influences its development. Motivated by this, this study focuses on investigating the antecedents of knowledge receivers’ reciprocity in online knowledge communities. It formulates and tests a theoretical model to explain reciprocity behavior of community members based on equity theory and Social Identity explanation of De-individuation Effects (SIDE) model. Our proposed model is validated through a large-scale survey in an online forum for English learning. Results reveal that indebtedness and community norm not only are key antecedents of intention to reciprocate but are also positively related to each other. The perceived anonymity of the online knowledge community not only has a positive effect on intention to reciprocate, but also has an interactive effect with community norm on intention to reciprocate. Theoretical and practical implications of this study are discussed.     

Phishing detection based Associative Classification data mining

Website phishing is considered one of the crucial security challenges for the online community due to the massive numbers of online transactions performed on a daily basis. Website phishing can be described as mimicking a trusted website to obtain sensitive information from online users such as usernames and passwords. Black lists, white lists and the utilisation of search methods are examples of solutions to minimise the risk of this problem. One intelligent approach based on data mining called Associative Classification (AC) seems a potential solution that may effectively detect phishing websites with high accuracy. According to experimental studies, AC often extracts classifiers containing simple “If-Then” rules with a high degree of predictive accuracy. In this paper, we investigate the problem of website phishing using a developed AC method called Multi-label Classifier based Associative Classification (MCAC) to seek its applicability to the phishing problem. We also want to identify features that distinguish phishing websites from legitimate ones. In addition, we survey intelligent approaches used to handle the phishing problem. Experimental results using real data collected from different sources show that AC particularly MCAC detects phishing websites with higher accuracy than other intelligent algorithms. Further, MCAC generates new hidden knowledge (rules) that other algorithms are unable to find and this has improved its classifiers predictive performance.     

Detection of phishing attacks in Iranian e-banking using a fuzzy–rough hybrid system

Phishing is a method of stealing electronic identity in which social engineering and website forging methods are used in order to mislead users and reveal confidential information having economic value. Destroying the trust between users in business network, phishing has a negative effect on the budding area of e-commerce. Developing countries such as Iran have been recently facing Internet threats like phishing, whose methods, regarding the social differences, may be different from other experiences. Thus, it is necessary to design a suitable detection method for these deceits. The aim of current paper is to provide a phishing detection system to be used in e-banking system in Iran. Identifying the outstanding features of phishing is one of the important prerequisites in design of an accurate system; therefore, in first step, to identify the influential features of phishing that best fit the Iranian bank sites, a list of 28 phishing indicators was prepared. Using feature selection algorithm based on rough sets theory, six main indicators were identified as the most effective factors. The fuzzy expert system was designed using these indicators, afterwards. The results show that the proposed system is able to determine the Iranian phishing sites with a reasonable speed and precision, having an accuracy of 88%.     

Disentangling the effects of efficacy-facilitating informational support on health resilience in online health communities based on phrase-level text analysis

This study examines the different types of supportive messages posted on a forum at online Healthcare communities (OHCs), which facilitate user self-efficacy and response-efficacy and an issue of how such informational messages encourage users to enhance their health resilience via goal-setting for health improvement. We theorize that self-efficacy-oriented messages affect helpfulness, focusing on the efficiency of the implementation, while response-efficacy-oriented messages influence the relationships among helpfulness, goal-settings, and health resilience based on the outcome expectancy. Using a computer assisted approach which allows for the directed content analysis, we test a conceptual model with the text-data collected from an OHC.     

Shall I post this now? Optimized,delay-based privacy protection in social networks

Despite the several advantages commonly attributed to social networks such as easiness and immediacy to communicate with acquaintances and friends, significant privacy threats provoked by unexperienced or even irresponsible users recklessly publishing sensitive material are also noticeable. Yet, a different, but equally significant privacy risk might arise from social networks profiling the online activity of their users based on the timestamp of the interactions between the former and the latter. In order to thwart this last type of commonly neglected attacks, this paper proposes an optimized deferral mechanism for messages in online social networks. Such solution suggests intelligently delaying certain messages posted by end users in social networks in a way that the observed online activity profile generated by the attacker does not reveal any time-based sensitive information, while preserving the usability of the system. Experimental results as well as a proposed architecture implementing this approach demonstrate the suitability and feasibility of our mechanism.     

Phishing in an academic community: A study of user susceptibility and behavior

Abstract

We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC’s undergraduates. Participants were initially unaware of the study. We deployed the billing problem, contest winner, and expiration date phishing tactics. Experiment 1 impersonated banking authorities; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancelation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed a reverse correlation between phishing awareness and student resistance to clicking. Students who identified themselves as understanding the definition of phishing had a higher susceptibility rate than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility rate than those with no knowledge whatsoever. Approximately 70% of survey respondents who opened a phishing email clicked on it, with 60% of student having clicked overall.     

The double-edged effects of explanation prompts

Explanation prompts usually foster conceptual understanding. However, it has been claimed within cognitive load theory that prompts can take cognitive load to the upper limit when learning complex contents. Under such circumstances, prompts focusing the learners’ attention on specific aspects (e.g., conceptual aspects such as elaborations on domain principles) might have some costs: Other important aspects (e.g., procedural aspects such as how to calculate) cannot be processed deeply. Thus, we expected that conceptually-oriented explanation prompts would foster the detailedness of explanations, the number of elaborations on domain principles, and conceptual knowledge. In addition, we tested the influence of such prompts on the number of calculations performed during learning and procedural knowledge. We conducted an experiment in which we employed conceptually-oriented explanation prompts in a complex e-learning module on tax law. Tax law university students (N = 40) worked on this e-learning module under two conditions: (a) conceptually-oriented explanation prompts, (b) no prompts. The prompts led to double-edged effects: positive effects on the detailedness of explanations and on the number of elaborations on domain principles, as well as on conceptual knowledge and simultaneously negative effects on the number of calculations performed during learning as well as on procedural knowledge.     

基于建构主义学习理论的个性化知识推荐模型

个性化推荐正成为“互联网+”和“大数据”时代信息网络服务的基本形式,虽然其已在电子商务和社交媒体的广泛应用中产生了巨大的商业价值,但在具有巨大潜在社会价值的个性化知识学习领域,相关研究与应用还较为稀少.研究提出一种基于建构主义学习理论的个性化知识推荐方法——建构推荐模型.新模型首先考虑将知识系统以知识网络的形式进行表达,随后引入最近邻优先的候选知识选择策略,以及基于最大可学习支撑度优先的top-K未学知识推荐算法.建构推荐模型通过知识网络的知识关联结构挖掘用户知识需求,并推荐给出最具建构学习价值的待学新知识.以饮食健康知识系统学习为例的实验分析表明,新模型在多种情况下推荐产生的个性化知识序列均具有较强的知识关联性和较高的知识体系覆盖率.