Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.2.267

A Study on the Change of Capability and Behavior against Phishing Attack by Continuous Practical Simulation Training  

Yoon, Duck-sang (Graduate School of Information Security, Korea University)
Lee, Kyung-ho (Graduate School of Information Security, Korea University)
Lim, Jong-in (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.2, 2017 , pp. 267-279 More about this Journal
Abstract
This study emulated unscheduled phishing e-mails over a long period of time by imitating the manner in which external hackers attacked a group of employees in a company. We then measured and analyzed the recipient's ability to identify and respond to phishing e-mails as training progressed. In addition, we analyzed the changes in participants' response behavior when changing the external control condition between the training. As a result of the analysis, it was confirmed that the training duration had a positive (+) relationship with the employees' ability to identify phishing e-mails and the infection rate, and more employees read emails and infected with phishing attacks using social issues and seasonal events. It was also confirmed that reinforcement of internal control policy on infected persons affects positively (+) on the phishing attack response behavior of employees. Based on these results, we would like to suggest the right training method for each organization to enhance the ability of employees to cope with phishing attacks.
Keywords
phishing; email; social engineering; APT; advanced persistent threat; security awareness training;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Ashraf, "Organization need and everyone's responsibility: Information security awareness," Global Information Assurance Certification Paper, SANS Institute, Feb, 2005.
2 M. Al-Awadi and K. Renaud, "Success factors in information security implementation in organizations," IADIS International Conference e-Society, 2007.
3 S. Al Awawdeh and A. Tubaishat, "An information security awareness program to address common security concerns in IT unit," International Conference on Information Technology, pp. 273-278, Apr. 2014.
4 T. Nikolakopoulos, "Evaluating the human factor in information security," Master thesis, Oslo University College, Apr. 2009.
5 Kyu-sik Kim, Jong-won Choi and Dong-hun Chu, "Nuclear power hacking is spear phishing," http://news.mk.co.kr/newsRead.php?year=2014&no=1564190, Maeil Business News, Dec. 2014.
6 A. ENISA, "Users' guide: How to raise information security awareness," Jun. 2006.
7 Tae-kyun Kim, "Interpark was robbing 10 million personal information by one phishing e-mails impersonating his brother." http://www.yonhapnews.co.kr/bulletin/2016/08/31/0200000000AKR20160831043451017.HTML?from=search, Yonhap News, Aug. 2016.
8 P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor and J. Hong, "Lessons from a real world evaluation of anti-phishing training," eCrime Researchers Summit, 2008, pp. 1-12, Oct. 2008.
9 W. G. Anti-Phishing, "Phishing activity trends report 3rd quarter 2016," Anti-Phishing Working Group, Dec. 2016.
10 T. Carlson, "Information security management: understanding ISO 17799," Lucent Technologies, Oct. 2001.
11 Cha-ho Lim, "Effective information security awareness plan," Journal of The Korea Institute of Information Security & Cryptology, 16(2), pp. 30-36, Apr. 2006.
12 Jung-ho Eom, "The Improvement plan of a customized cyber-training structure for enhancing the capability of cyber security," Journal of Security Engineering, 12(6), pp. 567-580, Dec. 2015.   DOI
13 Hong-jae Lee and Yong-jin Cha, "A study on the effectiveness of privacy education using the CIPP model : focusing on the perceptions of local government officials," The Korean Journal of Local Government Studies, 19(1), pp. 95-119, 2015.
14 M. Allen, "Social engineering: A means to violate a computer system," SANS Institute, Jun. 2006.
15 R. Richmond, "Hackers set up attacks on home PCs, financial firms: study," http://www.marketwatch.com/News/Story/Story.aspx?dist=newsfinder&siteid=google&guid=%7B92615073-95B6-452EA3B9, Sep. 2006.
16 S. A. Robila and J. W. Ragucci, "Don't be a phish: steps in user education, ", vol. 38, no. 3, pp. 237-241, Jun. 2006.   DOI
17 T. Jagatic, N. Johnson, M. Jakobsson and F. Menczer, "Social phishing," Communications of the ACM, vol. 50, no. 10, pp. 94-100, Oct. 2006.   DOI
18 A. J. Ferguson, "Fostering e-mail security awareness: The West Point carronade," Educase Quarterly, vol. 28, no. 1, pp. 54-57 2005.
19 P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong and E. Nunge, "Protecting people from phishing: the design and evaluation of an embedded training email system,", pp. 905-914, Apr. 2007.
20 J. Hiner, "Change your company's culture to combat social engineering attacks," May, 2002.
21 D. Timko, "The social engineering threat," Information Systems Security Association Journal, Jan. 2008.
22 M. B. Brewer, "Research design and issues of validity," Handbook of research methods in social and personality psychology, pp. 3-16, 2000.
23 H. Ebbinghaus, Memory: A contribution to experimental psychology, University Microfilms, no. 3, 1913.
24 P. Brien, "10 tips for spotting a phishing email," http://www.techrepublic.com/blog/10-things/10-tips-for-spotting-a-phishing-email/, Oct. 2015.
25 D. Estelle, "10 tips on how to identify a phishing or spoofing email, https://blog.returnpath.com/10-tips-on-how-to-identify-a-phishing-or-spoofing-email-v2/ ", Dec. 2015.
26 L. James, Phishing exposed, Syngress 2005.