Deanna Caputo , The MITRE Corporation, McLean
Shari Pfleeger , I3P Dartmouth College , Washington
Jesse Freeman , MITRE Corporation, McLean
M. Eric Johnson , Dartmouth, Hanover
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2013.106
To explore the effectiveness of embedded training, we conducted a large-scale experiment that tracked workers' reactions to a series of carefully crafted spear phishing emails and to a variety of immediate training and awareness activities. Based on behavioral science findings, the experiment included four different training conditions, each of which used a different type of message framing. The results from three trials showed that framing had no significant effect on the likelihood that a participant would click on a subsequent spear phishing email, and that many either clicked on all links or none regardless of whether they received training or the kind of training received. The results suggest that embedded training was ineffective because employees failed to read the training materials. We were therefore unable to determine whether the embedded training materials created framing changes on susceptibility to spear phishing attacks. Post-experiment interviews provided ideas for improving employee security posture.
Deanna Caputo, Shari Pfleeger, Jesse Freeman, M. Eric Johnson, "Going Spear Phishing: Exploring Embedded Training and Awareness", IEEE Security & Privacy, , no. 1, pp. 1, PrePrints PrePrints, doi:10.1109/MSP.2013.106