概括网络钓鱼原理:分析用户对受控刺激的响应，用于IT安全意识评估

Proceedings of the 15th International Conference on Availability, Reliability and Security Pub Date : 2020-08-25 DOI:10.1145/3407023.3409205

Arnold Sykosch, Christian Doll, Matthias Wübbeling, M. Meier

{"title":"概括网络钓鱼原理:分析用户对受控刺激的响应，用于IT安全意识评估","authors":"Arnold Sykosch, Christian Doll, Matthias Wübbeling, M. Meier","doi":"10.1145/3407023.3409205","DOIUrl":null,"url":null,"abstract":"Capturing behavioral data to assess users' IT security awareness is state of the art. However, recording the click rate on a company wide phishing test for IT security awareness measurement does not suffice. Perceivable artifacts, that the user might be exposed to during an attack, are manifold. We introduce a framework that allows capturing user's responses to such artifacts similar to phishing tests. A field study among 259 users shows, that the expected effect of a well-established IT security awareness intervention can be demonstrated using arbitrary artifacts. It also shows that this intervention may impair the probability of a user reporting the sighting of an artifact and therefore impair an organization's capability to detect such events and possibly decrease overall security.","PeriodicalId":121225,"journal":{"name":"Proceedings of the 15th International Conference on Availability, Reliability and Security","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Generalizing the phishing principle: analyzing user behavior in response to controlled stimuli for IT security awareness assessment\",\"authors\":\"Arnold Sykosch, Christian Doll, Matthias Wübbeling, M. Meier\",\"doi\":\"10.1145/3407023.3409205\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Capturing behavioral data to assess users' IT security awareness is state of the art. However, recording the click rate on a company wide phishing test for IT security awareness measurement does not suffice. Perceivable artifacts, that the user might be exposed to during an attack, are manifold. We introduce a framework that allows capturing user's responses to such artifacts similar to phishing tests. A field study among 259 users shows, that the expected effect of a well-established IT security awareness intervention can be demonstrated using arbitrary artifacts. It also shows that this intervention may impair the probability of a user reporting the sighting of an artifact and therefore impair an organization's capability to detect such events and possibly decrease overall security.\",\"PeriodicalId\":121225,\"journal\":{\"name\":\"Proceedings of the 15th International Conference on Availability, Reliability and Security\",\"volume\":\"8 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-08-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 15th International Conference on Availability, Reliability and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3407023.3409205\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 15th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3407023.3409205","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

捕获行为数据以评估用户的IT安全意识是目前的最新技术。然而，在公司范围内的网络钓鱼测试中记录点击率，以衡量IT安全意识是不够的。用户在攻击期间可能接触到的可感知的工件是多种多样的。我们引入了一个框架，允许捕获用户对类似于网络钓鱼测试的工件的响应。对259名用户进行的实地研究表明，可以使用任意工件来演示已建立的IT安全意识干预的预期效果。它还表明，这种干预可能会损害用户报告看到工件的可能性，从而损害组织检测此类事件的能力，并可能降低总体安全性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Generalizing the phishing principle: analyzing user behavior in response to controlled stimuli for IT security awareness assessment

Capturing behavioral data to assess users' IT security awareness is state of the art. However, recording the click rate on a company wide phishing test for IT security awareness measurement does not suffice. Perceivable artifacts, that the user might be exposed to during an attack, are manifold. We introduce a framework that allows capturing user's responses to such artifacts similar to phishing tests. A field study among 259 users shows, that the expected effect of a well-established IT security awareness intervention can be demonstrated using arbitrary artifacts. It also shows that this intervention may impair the probability of a user reporting the sighting of an artifact and therefore impair an organization's capability to detect such events and possibly decrease overall security.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 15th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量