Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations

Jackie Scott; Yair Levy; Wei Li; Ajoy Kumar

doi:10.5220/0012281600003648

Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations

Jackie Scott
, Yair Levy
, Wei Li
, Ajoy Kumar

Nova Southeastern University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Scopus citations

Abstract

Although there have been numerous significant technological advancements in the last several decades, there continues to be a real threat as it pertains to social engineering, especially phishing, spear-phishing, and Business Email Compromise (BEC). While the technologies to protect end-users have gotten better, the ‘human factor’ in cybersecurity is the main penetration surface. These three phishing methods are used by attackers to infiltrate corporate networks and manipulate end-users, especially through business email. Our research study was aimed at assessing several phishing mitigation methods, including phishing training and campaign methods, as well as any human characteristics that enable a successful cyberattack through business email. Following expert panel validation for the experimental procedure, a pilot study with 172 users and then a full study with 552 users were conducted to collect six actual end-users’ negative response actions to phishing campaigns conducted with traditional Commercial-Off-The-Shelf (COTS) product (KnowBe4) and a red team. Users were randomly assigned to three groups: no training; traditional training; and longitudinal customized training with 1,104 data points collected. While the phishing method was significant, our results indicate that current training methods appear to provide little to no added value vs. no training at all.

Original language	English
Title of host publication	Proceedings of the 10th International Conference on Information Systems Security and Privacy
Editors	Gabriele Lenzini, Paolo Mori, Steven Furnell
Publisher	Science and Technology Publications, Lda
Pages	643-651
Number of pages	9
ISBN (Print)	9789897586835
DOIs	https://doi.org/10.5220/0012281600003648
State	Published - 2024
Event	10th International Conference on Information Systems Security and Privacy, ICISSP 2024 - Rome, Italy Duration: Feb 26 2024 → Feb 28 2024

Publication series

Name	Proceedings of the 10th International Conference on Information Systems Security and Privacy

Conference

Conference	10th International Conference on Information Systems Security and Privacy, ICISSP 2024
Country/Territory	Italy
City	Rome
Period	2/26/24 → 2/28/24

Bibliographical note

Publisher Copyright:
© 2024 by SCITEPRESS – Science and Technology Publications, Lda.

ASJC Scopus Subject Areas

Computer Science (miscellaneous)
Information Systems

Keywords

and Awareness (SETA)
Business Email Compromise (BEC)
Phishing
Phishing Campaigns
Phishing Training
Red Team
Security Education
Spear-Phishing
Training

Access to Document

10.5220/0012281600003648

Cite this

Scott, J., Levy, Y., Li, W., & Kumar, A. (2024). Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations. In G. Lenzini, P. Mori, & S. Furnell (Eds.), Proceedings of the 10th International Conference on Information Systems Security and Privacy (pp. 643-651). (Proceedings of the 10th International Conference on Information Systems Security and Privacy). Science and Technology Publications, Lda. https://doi.org/10.5220/0012281600003648

Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations. / Scott, Jackie; Levy, Yair ; Li, Wei et al.
Proceedings of the 10th International Conference on Information Systems Security and Privacy. ed. / Gabriele Lenzini; Paolo Mori; Steven Furnell. Science and Technology Publications, Lda, 2024. p. 643-651 (Proceedings of the 10th International Conference on Information Systems Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Scott, J, Levy, Y , Li, W & Kumar, A 2024, Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations. in G Lenzini, P Mori & S Furnell (eds), Proceedings of the 10th International Conference on Information Systems Security and Privacy. Proceedings of the 10th International Conference on Information Systems Security and Privacy, Science and Technology Publications, Lda, pp. 643-651, 10th International Conference on Information Systems Security and Privacy, ICISSP 2024, Rome, Italy, 2/26/24. https://doi.org/10.5220/0012281600003648

Scott J, Levy Y , Li W , Kumar A. Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations. In Lenzini G, Mori P, Furnell S, editors, Proceedings of the 10th International Conference on Information Systems Security and Privacy. Science and Technology Publications, Lda. 2024. p. 643-651. (Proceedings of the 10th International Conference on Information Systems Security and Privacy). doi: 10.5220/0012281600003648

Scott, Jackie ; Levy, Yair ; Li, Wei et al. / Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations. Proceedings of the 10th International Conference on Information Systems Security and Privacy. editor / Gabriele Lenzini ; Paolo Mori ; Steven Furnell. Science and Technology Publications, Lda, 2024. pp. 643-651 (Proceedings of the 10th International Conference on Information Systems Security and Privacy).

@inproceedings{02fb4c705897479ea810a9c24933f2da,

title = "Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations",

abstract = "Although there have been numerous significant technological advancements in the last several decades, there continues to be a real threat as it pertains to social engineering, especially phishing, spear-phishing, and Business Email Compromise (BEC). While the technologies to protect end-users have gotten better, the {\textquoteleft}human factor{\textquoteright} in cybersecurity is the main penetration surface. These three phishing methods are used by attackers to infiltrate corporate networks and manipulate end-users, especially through business email. Our research study was aimed at assessing several phishing mitigation methods, including phishing training and campaign methods, as well as any human characteristics that enable a successful cyberattack through business email. Following expert panel validation for the experimental procedure, a pilot study with 172 users and then a full study with 552 users were conducted to collect six actual end-users{\textquoteright} negative response actions to phishing campaigns conducted with traditional Commercial-Off-The-Shelf (COTS) product (KnowBe4) and a red team. Users were randomly assigned to three groups: no training; traditional training; and longitudinal customized training with 1,104 data points collected. While the phishing method was significant, our results indicate that current training methods appear to provide little to no added value vs. no training at all. ",

keywords = "and Awareness (SETA), Business Email Compromise (BEC), Phishing, Phishing Campaigns, Phishing Training, Red Team, Security Education, Spear-Phishing, Training",

author = "Jackie Scott and Yair Levy and Wei Li and Ajoy Kumar",

note = "Publisher Copyright: {\textcopyright} 2024 by SCITEPRESS – Science and Technology Publications, Lda.; 10th International Conference on Information Systems Security and Privacy, ICISSP 2024 ; Conference date: 26-02-2024 Through 28-02-2024",

year = "2024",

doi = "10.5220/0012281600003648",

language = "English",

isbn = "9789897586835",

series = "Proceedings of the 10th International Conference on Information Systems Security and Privacy",

publisher = "Science and Technology Publications, Lda",

pages = "643--651",

editor = "Gabriele Lenzini and Paolo Mori and Steven Furnell",

booktitle = "Proceedings of the 10th International Conference on Information Systems Security and Privacy",

}

TY - GEN

T1 - Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations

AU - Scott, Jackie

AU - Levy, Yair

AU - Li, Wei

AU - Kumar, Ajoy

PY - 2024

Y1 - 2024

N2 - Although there have been numerous significant technological advancements in the last several decades, there continues to be a real threat as it pertains to social engineering, especially phishing, spear-phishing, and Business Email Compromise (BEC). While the technologies to protect end-users have gotten better, the ‘human factor’ in cybersecurity is the main penetration surface. These three phishing methods are used by attackers to infiltrate corporate networks and manipulate end-users, especially through business email. Our research study was aimed at assessing several phishing mitigation methods, including phishing training and campaign methods, as well as any human characteristics that enable a successful cyberattack through business email. Following expert panel validation for the experimental procedure, a pilot study with 172 users and then a full study with 552 users were conducted to collect six actual end-users’ negative response actions to phishing campaigns conducted with traditional Commercial-Off-The-Shelf (COTS) product (KnowBe4) and a red team. Users were randomly assigned to three groups: no training; traditional training; and longitudinal customized training with 1,104 data points collected. While the phishing method was significant, our results indicate that current training methods appear to provide little to no added value vs. no training at all.

AB - Although there have been numerous significant technological advancements in the last several decades, there continues to be a real threat as it pertains to social engineering, especially phishing, spear-phishing, and Business Email Compromise (BEC). While the technologies to protect end-users have gotten better, the ‘human factor’ in cybersecurity is the main penetration surface. These three phishing methods are used by attackers to infiltrate corporate networks and manipulate end-users, especially through business email. Our research study was aimed at assessing several phishing mitigation methods, including phishing training and campaign methods, as well as any human characteristics that enable a successful cyberattack through business email. Following expert panel validation for the experimental procedure, a pilot study with 172 users and then a full study with 552 users were conducted to collect six actual end-users’ negative response actions to phishing campaigns conducted with traditional Commercial-Off-The-Shelf (COTS) product (KnowBe4) and a red team. Users were randomly assigned to three groups: no training; traditional training; and longitudinal customized training with 1,104 data points collected. While the phishing method was significant, our results indicate that current training methods appear to provide little to no added value vs. no training at all.

KW - and Awareness (SETA)

KW - Business Email Compromise (BEC)

KW - Phishing

KW - Phishing Campaigns

KW - Phishing Training

KW - Red Team

KW - Security Education

KW - Spear-Phishing

KW - Training

UR - https://www.scopus.com/pages/publications/85190880308

UR - https://www.scopus.com/pages/publications/85190880308#tab=citedBy

U2 - 10.5220/0012281600003648

DO - 10.5220/0012281600003648

M3 - Conference contribution

AN - SCOPUS:85190880308

SN - 9789897586835

T3 - Proceedings of the 10th International Conference on Information Systems Security and Privacy

SP - 643

EP - 651

BT - Proceedings of the 10th International Conference on Information Systems Security and Privacy

A2 - Lenzini, Gabriele

A2 - Mori, Paolo

A2 - Furnell, Steven

PB - Science and Technology Publications, Lda

T2 - 10th International Conference on Information Systems Security and Privacy, ICISSP 2024

Y2 - 26 February 2024 through 28 February 2024

ER -

Comparing Phishing Training and Campaign Methods for Mitigating Malicious Emails in Organizations

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus Subject Areas

Keywords

Access to Document

Other files and links

Fingerprint

Cite this