Understanding practitioners’ challenges and requirements in the design, implementation, and evaluation of anti-phishing interventions

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2025-02-13 DOI:10.1016/j.jss.2025.112356

Orvila Sarker , Asangi Jayatilaka , Sherif Haggag , Chelsea Liu , M. Ali Babar

{"title":"Understanding practitioners’ challenges and requirements in the design, implementation, and evaluation of anti-phishing interventions","authors":"Orvila Sarker , Asangi Jayatilaka , Sherif Haggag , Chelsea Liu , M. Ali Babar","doi":"10.1016/j.jss.2025.112356","DOIUrl":null,"url":null,"abstract":"<div><h3>Background:</h3><div>Research shows that the ineffectiveness of anti-phishing interventions can result from practitioners’ failure to consider end-users’ requirements in the intervention design, implementation, and evaluation. To assist practitioners in addressing usability issues, we reported 41 guidelines through a systematic Multi-vocal Literature Review (MLR). The usefulness of these guidelines in real-world scenarios remains uncertain until the involved challenges and requirements to implement them are investigated.</div></div><div><h3>Objective:</h3><div>(1) To investigate practitioners’ challenges in the design, implementation, and evaluation of phishing interventions in real-world settings; (2) to understand practitioners’ perspectives on our guidelines and how they can be made easily accessible to the practitioners.</div></div><div><h3>Method:</h3><div>We interviewed 18 practitioners (intervention designers, security practitioners, and C-suite employees) from 18 organizations in 6 countries.</div></div><div><h3>Results:</h3><div>(1) We identify 8 challenges in training content design, anti-phishing datasets, post-training knowledge assessment, and so on. We compare these challenges with the challenges identified from our MLR to demonstrate the ecological validity of the challenges found in MLR and derive a set of insights to overcome them; (2) we report practitioners’ feedback on our guidelines; (3) we gather actionable features on an envisioned tool to make these guidelines easily accessible. Conclusion: We provide 15 recommendations to improve the anti-phishing defense in the organisations.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"225 ","pages":"Article 112356"},"PeriodicalIF":3.7000,"publicationDate":"2025-02-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016412122500024X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Background:

Research shows that the ineffectiveness of anti-phishing interventions can result from practitioners’ failure to consider end-users’ requirements in the intervention design, implementation, and evaluation. To assist practitioners in addressing usability issues, we reported 41 guidelines through a systematic Multi-vocal Literature Review (MLR). The usefulness of these guidelines in real-world scenarios remains uncertain until the involved challenges and requirements to implement them are investigated.

Objective:

(1) To investigate practitioners’ challenges in the design, implementation, and evaluation of phishing interventions in real-world settings; (2) to understand practitioners’ perspectives on our guidelines and how they can be made easily accessible to the practitioners.

Method:

We interviewed 18 practitioners (intervention designers, security practitioners, and C-suite employees) from 18 organizations in 6 countries.

Results:

(1) We identify 8 challenges in training content design, anti-phishing datasets, post-training knowledge assessment, and so on. We compare these challenges with the challenges identified from our MLR to demonstrate the ecological validity of the challenges found in MLR and derive a set of insights to overcome them; (2) we report practitioners’ feedback on our guidelines; (3) we gather actionable features on an envisioned tool to make these guidelines easily accessible. Conclusion: We provide 15 recommendations to improve the anti-phishing defense in the organisations.

查看原文本刊更多论文

背景：研究表明，反钓鱼干预措施效果不佳的原因可能是从业人员在干预措施的设计、实施和评估过程中没有考虑最终用户的需求。为了帮助从业人员解决可用性问题，我们通过系统性的《多声部文献综述》（MLR）报告了 41 项指导原则。目标：（1）调查从业人员在实际环境中设计、实施和评估网络钓鱼干预措施时遇到的挑战；（2）了解从业人员对我们的指南的看法，以及如何使从业人员更容易获得这些指南。方法：我们采访了来自 6 个国家 18 个组织的 18 名从业人员（干预设计人员、安全从业人员和 C 级员工）。结果：(1) 我们在培训内容设计、反钓鱼数据集、培训后知识评估等方面发现了 8 项挑战。我们将这些挑战与我们的 MLR 中发现的挑战进行了比较，以证明 MLR 中发现的挑战的生态有效性，并得出了克服这些挑战的一系列见解；（2）我们报告了从业人员对我们的指南的反馈意见；（3）我们收集了一个设想工具的可操作功能，以使这些指南易于获取。结论：我们提供了 15 项建议，以改进组织中的反钓鱼防御。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.