Embedding Training Within Warnings Improves Skills of Identifying Phishing Webpages

Aiping Xiong, Robert W. Proctor, Weining Yang, Ninghui Li

Research output: Contribution to journalArticlepeer-review

3 Scopus citations

Abstract

Objective: Evaluate the effectiveness of training embedded within security warnings to identify phishing webpages. Background: More than 20 million malware and phishing warnings are shown to users of Google Safe Browsing every week. Substantial click-through rate is still evident, and a common issue reported is that users lack understanding of the warnings. Nevertheless, each warning provides an opportunity to train users about phishing and how to avoid phishing attacks. Method: To test use of phishing-warning instances as opportunities to train users’ phishing webpage detection skills, we conducted an online experiment contrasting the effectiveness of the current Chrome phishing warning with two training-embedded warning interfaces. The experiment consisted of three phases. In Phase 1, participants made login decisions on 10 webpages with the aid of warning. After a distracting task, participants made legitimacy judgments for 10 different login webpages without warnings in Phase 2. To test the long-term effect of the training, participants were invited back a week later to participate in Phase 3, which was conducted similarly as Phase 2. Results: Participants differentiated legitimate and fraudulent webpages better than chance. Performance was similar for all interfaces in Phase 1 for which the warning aid was present. However, training-embedded interfaces provided better protection than the Chrome phishing warning on both subsequent phases. Conclusion: Embedded training is a complementary strategy to compensate for lack of phishing webpage detection skill when phishing warning is absent. Application: Potential applications include development of training-embedded warnings to enable security training at scale.

Original languageEnglish (US)
Pages (from-to)577-595
Number of pages19
JournalHuman Factors
Volume61
Issue number4
DOIs
StatePublished - Jun 1 2019

All Science Journal Classification (ASJC) codes

  • Human Factors and Ergonomics
  • Applied Psychology
  • Behavioral Neuroscience

Fingerprint Dive into the research topics of 'Embedding Training Within Warnings Improves Skills of Identifying Phishing Webpages'. Together they form a unique fingerprint.

Cite this