Vol. 24:3 (2023) ► pp.437–463
Human risk factors in cybersecurity
Experimental assessment of an academic human attack surface
This article presents an experimental analysis of several cybersecurity risks affecting the human attack surface of Fairmont State University, a mid-size state university. We consider two social engineering experiments: a phishing email barrage and a targeted spearphishing campaign. In the phishing experiment, a total of 4,769 students, faculty, and staff on campus were targeted by 90,000 phishing emails. Throughout these experiments, we explored the effectiveness of three types of phishing awareness training. Our results show that phishing emails that make it through IT’s defenses pose a clear and present threat to large educational organizations. Moreover, we found that simple, visual, instructional guides are more effective training tools than long documents or interactive training.
Article outline
- 1.Introduction
- 1.1Research questions
- 2.Related work
- 3.Methodology
- 3.1Phishing emails
- 3.1.1Structural overview
- 3.1.2Phishing email design
- 3.1.3Training types
- 3.1.4Data collection
- 3.2Spearphishing
- 3.2.1Survey overview
- 3.2.2Data collection
- 3.3IRB approval process
- 3.1Phishing emails
- 4.Results
- 4.1Response analysis (Research Question 1)
- 4.2Effectiveness of training (Research Question 2)
- 4.3Time of day analysis (Research Question 3)
- 4.4Effectiveness of warning emails (Research Question 4)
- 5.Conclusion
- 5.1Limitations
- Acknowledgements
- Note
-
References
https://doi.org/10.1075/is.22053.cuc