Computing Community Consortium Blog

The goal of the Computing Community Consortium (CCC) is to catalyze the computing research community to debate longer range, more audacious research challenges; to build consensus around research visions; to evolve the most promising visions toward clearly defined initiatives; and to work with the funding organizations to move challenges and visions toward funding initiatives. The purpose of this blog is to provide a more immediate, online mechanism for dissemination of visioning concepts and community discussion/debate about them.


WATCH Talk – Going Spear Phishing: Exploring Embedded Training and Awareness

February 18th, 2014 / in Uncategorized / by Ann Drobnis

WATCHOn February 20 at 12:00pm EST, the National Science Foundation (NSF) will host it’s next Washington Area Trustworthy Computing Hour (WATCH) talk.  Deanna Caputo of the MITRE Corporation will give a talk titled Going Spear Phishing: Exploring Embedded Training and Awareness.  Caputo is currently a Principal Behavioral Psychologist supporting the U.S. law enforcement and intelligence communities.  Previously, she worked for the Department of Defense as a senior human factors intelligence analyst.  She holds a Ph.D. in Social and Personality Psychology from Cornell University, with specialization in Judgment and Decision-making and Psychology and Law.

 

Abstract

To explore the effectiveness of embedded training, we conducted a large-scale experiment that tracked workers’ reactions to a series of carefully crafted spear phishing emails and to a variety of immediate training and awareness activities. Based on behavioral science findings, the experiment included four different training conditions, each of which used a different type of message framing.  The results from three trials showed that framing had no significant effect on the likelihood that a participant would click on a subsequent spear phishing email, and that many participants either clicked on all links or none regardless of whether they received training or what kind of training they received. The results suggest that embedded training was ineffective because employees failed to read the training materials. We were therefore unable to determine whether the embedded training materials created framing changes on susceptibility to spear phishing attacks. Dr. Caputo will discuss the study results, why users may have feared the training, and what this means for strengthening our human firewalls against advanced spear phishing attacks.

The talk will be webcast; you must register here by 10:00 am on February 19.

Future WATCH talks are as follows:

  • Mar 20 2014: Maya Bernstein, Department of Health and Human Services
  • Apr 17 2014: Deb Frincke, National Security Agency
  • May 15 2014: Dan Wallach, Rice University
  • Jul 17 2014: Crispin Cowan, Microsoft
WATCH Talk – Going Spear Phishing: Exploring Embedded Training and Awareness