Social engineering and other phishing techniques predominantly exploit human vulnerabilities. People who lack the proper awareness, knowledge and skills in information security become easy prey for phishers and other cybercriminals. Equally dangerous is the poor usability of security-critical information systems and anti-phishing software, which impedes user performance and also drives users to be negligent about security and to make errors.
Human vulnerabilities due to negligence, lack of knowledge and skills, and inherent weakness cannot be mended in the same way as technological problems; however, humans can become more knowledgeable and skilled, as well as facilitated through better usability that will help them in making the correct decisions at the right time and act in an acceptably safe and secure manner while in cyberspace. These information security/privacy requirements necessitate an understanding of people’s online behaviours in order to recommend and design appropriate and effective anti-phishing solutions. Although people’s online behaviours are unpredictable due to many uncertainties and unforeseen events, there are factors that impact their online behaviours. Similarly, in anti-phishing education, properties such as the quality and suitability of the learning methods and teaching materials used for specific educational purposes are important. This thesis contributes to improving the understanding of human factors through usable anti- phishing solution and effective methods and materials for anti-phishing education in the battle for people’s protection from phishing attacks.
The author used a contingency approach, which involved selecting research method(s) based on the situation, to accomplish two objectives. Studies have revealed aspects of usable security (anti-phishing) that are absolutely necessary when designing a usable anti-phishing solution: i) security and usability are two complementary properties which should be dealt with together at the earliest phases of the system’s or product’s development lifecycle; ii) anti-phishing solutions should be designed only after proper participation and the consultation of a number of different stakeholders groups, such as users, professionals and experts from different disciplines, normally across the areas of information security, human computer interaction, psychology, cognitive science, adult education and others; and iii) when implementing any established usability principles and models for security purposes, they should be properly evaluated for their suitability to the provided situation and context of use(s). Security should always be a part of the user workflow and people’s natural way of thinking and working, and its implementation should be as natural as possible.
Similarly, the research studies on security/privacy education performed for this thesis demonstrated that: i) along with the provision of new knowledge, security education should also eliminate people’s security misconceptions; ii) security education should be up-to-date, encompassing both new technology and more sophisticated phishing attacks and threats; iii) security education should include both technological and non-technological threats; and iv) the designers of the curricula for security education should encourage the participation of associated stakeholders such as learners, teachers, IT professionals and others, and use their knowledge, experience, and skills in privacy and security topics. Adopting teaching and learning methods, and materials that promote the active and collaborative participation of learners, and are preferred by learners, can be helpful in making security teaching and learning interesting and potentially effective.
Last but not least, several other essential factors associated with human beings, including age, gender, education and culture, are equally important and should be considered in both usable anti-phishing solutions and anti-phishing (or security) education. Comprehending these socio-technical aspects and incorporating them in the design of technological as well as non-technological anti-phishing solutions, and security curricula design will be a holistic human-centred and effective solution, which can protect people from security threats and will result in citizens having a greater awareness of the dangers.
Sunil Chaudhary (Tampere University of Technology): The Use of Usable Security and Security Education to Fight Phishing Attacks (Dissertation)