Abstract

To explore the effectiveness of embedded training, we conducted a large-scale experiment that tracked workers' reactions to a series of carefully crafted spear phishing emails and to a variety of immediate training and awareness activities. Based on behavioral science findings, the experiment included four different training conditions, each of which used a different type of message framing.  The results from three trials showed that framing had no significant effect on the likelihood that a participant would click on a subsequent spear phishing email, and that many participants either clicked on all links or none regardless of whether they received training or what kind of training they received. The results suggest that embedded training was ineffective because employees failed to read the training materials. We were therefore unable to determine whether the embedded training materials created framing changes on susceptibility to spear phishing attacks. Dr. Caputo will discuss the study results, why users may have feared the training, and what this means for strengthening our human firewalls against advanced spear phishing attacks.

Speaker

Deanna D. Caputo received her Ph.D. in Social and Personality Psychology from Cornell University, with specialization in Judgment and Decision-making and Psychology and Law. She currently works in the Washington D.C area for the MITRE Corporation as a Principal Behavioral Psychologist supporting the United States law enforcement and intelligence communities, and previously worked for the US Department of Defense as a senior human factors intelligence analyst. Dr. Caputo has almost 20 years experience in designing, conducting, and analyzing experimental research with human participants, using both quantitative and qualitative analyses. She is also proficient in profiling human decision-making behavior and conducting social network analyses. Her main area of research and operational consultation is human behavior and cyber security, particularly insider threat. Dr. Caputo has multiple psychological articles published in peer-reviewed journals, authored a book chapter, and her most recent publications are "Going Spear phishing: Exploring Embedded Training and Awareness," IEE Security & Privacy, (In Press); "Leveraging Behavioral Science to Mitigate Cyber Security Risk, Computers and Security, May 2012; and "Detecting the Theft of Trade Secrets by Insiders: A Summary of MITRE Insider Threat Research," IEEE Security & Privacy, Nov/Dec 2009.

About the WATCH series:

Transforming today's trusted but untrustworthy cyberinfrastructure into one that can meet society's growing demands requires both technical advances and improved understanding of how people and organizations of many backgrounds perceive, decide to adopt, and  actually use technology. WATCH aims to provide thought-provoking talks by innovative thinkers with ideas that illuminate these challenges and provide signposts toward solutions. The series is jointly organized by NSF's Computer Science and Engineering (CISE) and Social, Behavioral, and Economic (SBE) Directorates and sponsored by the CISE Secure and Trustworthy Cyberspace (SaTC) Program. Talks will be recorded and made available over the Internet.

About NSF
The National Science Foundation (NSF) is an independent federal agency that supports fundamental research and education across all fields of science and engineering. In fiscal year (FY) 2009, its budget is $9.5 billion, which includes $3.0 billion provided through the American Recovery and Reinvestment Act. NSF funds reach all 50 states through grants to over 1,900 universities and institutions. Each year, NSF receives about 44,400 competitive requests for funding, and makes over 11,500 new funding awards.MORE