Human risk factors in cybersecurity
Experimental assessment of an academic human attack surface
This article presents an experimental analysis of several cybersecurity risks affecting the human attack surface
of Fairmont State University, a mid-size state university. We consider two social engineering experiments: a phishing email
barrage and a targeted spearphishing campaign. In the phishing experiment, a total of 4,769 students, faculty, and staff on campus
were targeted by 90,000 phishing emails. Throughout these experiments, we explored the effectiveness of three types of phishing
awareness training. Our results show that phishing emails that make it through IT’s defenses pose a clear and present threat to
large educational organizations. Moreover, we found that simple, visual, instructional guides are more effective training tools
than long documents or interactive training.
Article outline
- 1.Introduction
- 2.Related work
- 3.Methodology
- 3.1Phishing emails
- 3.1.1Structural overview
- 3.1.2Phishing email design
- 3.1.3Training types
- 3.1.4Data collection
- 3.2Spearphishing
- 3.2.1Survey overview
- 3.2.2Data collection
- 3.3IRB approval process
- 4.Results
- 4.1Response analysis (Research Question 1)
- 4.2Effectiveness of training (Research Question 2)
- 4.3Time of day analysis (Research Question 3)
- 4.4Effectiveness of warning emails (Research Question 4)
- 5.Conclusion
- Acknowledgements
- Note
-
References