This Article 
 Bibliographic References 
 Add to: 
Security Education against Phishing: A Modest Proposal for a Major Rethink
March/April 2012 (vol. 10 no. 2)
pp. 24-32
Iacovos Kirlappos, University College London
M. Angela Sasse, University College London
User education must focus on challenging and correcting the misconceptions that guide current user behavior. To date, user education on phishing has tried to persuade them to check URLs and a number of other indicators, with limited success. The authors evaluate a novel antiphishing tool in a realistic setting—participants had to buy tickets under time pressure and lost money if they bought from bad sites. Although none of the participants bought from sites the tool clearly identified as bad, 40 percent risked money with sites flagged as potentially risky, but offering bargains. When tempted by a good deal, participants didn't focus on the warnings; rather, they looked for signs they thought confirmed a site's trustworthiness.

1. R. Dhamija, J.D. Tygar, and M. Hearst, "Why Phishing Works," Proc. SIGCHI Conf. Human Factors in Computing Systems (CHI 06), ACM, 2006, pp. 581–590.
2. S.E. Schechter et al., "The Emperor's New Security Indicators," IEEE Symp. Security and Privacy, IEEE CS, 2007, pp. 51–65.
3. P. Kumaraguru et al., "School of Phish: A Real-World Evaluation of Anti-phishing Training," Proc. 5th Symp. Usable Privacy and Security (SOUPS 09), ACM, 2009, pp. 1–12.
4. S. Sheng et al., "Anti-phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish," Proc. 3rd Symp. Usable Privacy and Security (SOUPS 07), ACM, 2007, pp. 88–99.
5. C. Herley, "So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users," Proc. New Security Paradigms Workshop, ACM, 2009, pp. 133–144.
6. F. Stajano and P. Wilson, "Understanding Scam Victims: Seven Principles for Systems Security," Comm. ACM, vol. 54, no. 3, 2011, pp. 70–75.
7. J. Riegelsberger, M.A. Sasse, and J.D. McCarthy, "The Mechanics of Trust: A Framework for Research and Design," Int'l J. Human-Computer Studies, vol. 62, no. 3, 2005, pp. 381–422.
8. D. Kim, D. Ferrin, and H. Rao, "A Trust-Based Consumer Decision-Making Model in Electronic Commerce: The Role of Trust, Perceived Risk, and Their Antecedents," Decision Support Systems, vol. 44, no. 2, 2008, pp. 544–564.
9. M. Koufaris and W. Hampton-Sosa, "The Development of Initial Trust in an Online Company by New Customers," Information & Management, vol. 41, no. 3, 2004, pp. 377–397.
10. B.G. Glaser and A.L. Strauss, The Discovery of Grounded Theory: Strategies for Qualitative Research, Aldine, 1967.
11. L. Leuthesser, C.S. Kohli, and K.R. Harich, "Brand Equity: The Halo Effect Measure," European J. Marketing, vol. 29, no. 4, 1995, pp. 57–66.
12. J. Riegelsberger, M.A. Sasse, and J.D. McCarthy, "Rich Media, Poor Judgement? A Study of Media Effects on Users' Trust in Expertise," Proc. British HCI Conf., 2005, pp. 267–284.
13. R. Wash, "Folk Models of Home Computer Security," Proc. 6th Symp. Usable Privacy and Security (SOUPS 10), ACM, 2010, pp. 1–16.
14. M.A. Sasse et al., "Human Vulnerabilities in Security Systems," white paper, Cyber Security Knowledge Transfer Network, 2007.
15. S. Egelman, L.F. Cranor, and J. Hong, "You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings," Proc. 26th SIGCHI Conf. Human Factors in Computing Systems, ACM, 2008, pp. 1065–1074.

Index Terms:
Security, electronic commerce, computers and society, management of computing and information systems
Iacovos Kirlappos, M. Angela Sasse, "Security Education against Phishing: A Modest Proposal for a Major Rethink," IEEE Security & Privacy, vol. 10, no. 2, pp. 24-32, March-April 2012, doi:10.1109/MSP.2011.179
Usage of this product signifies your acceptance of the Terms of Use.