Comments on: Anti-Phishing Day News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 By: Patricio Del Boca Tue, 21 Jun 2011 02:12:03 +0000 Hello Randy! I'm a student of Information System Engineering in Argentina (so I beg your pardon for my english).
I liked very much this article. It's good to see people that care about the education of all the internet users who don't have enough knowledgde to understand the way malware works. I think that well educated users are the foundation to achieve a society protected from cybercriminals. A society where the security of all members depends on how users (less educated) used the network.
Now a days, I'm writing a paper for a contest inspired in a phrase I read in a book: "Security through education". In the paper, I insist (in my humble opinion) in the importance of teaching to the Internet Users the basics concepts of Social Engineering used in most of the actual malware (among other things). The main idea is: educate helpless people in order to make the entire society safer.
So, one more time, I want to congratulate you for your article. I think the idea of using phishing emails to make people understand the mechanics of Phising Attacks is an idea that should be heard by more people. :)

Greetings from Argentina!

Patricio Del Boca

By: Randy Abrams Sat, 18 Jun 2011 01:25:29 +0000 is where one of the Carnegie Mellon studies resides. Still, I believe that even more effective than trying to identify the email as a phish, it is far more effective to teach people not to perform the behavior the results in the attack being effective.

By: Randy Abrams Fri, 17 Jun 2011 23:41:36 +0000 The educational approach being used is defective, not the value of the education. Being phished first makes the student more likely to pay attention to the education, but then we need to move away from a spot the phish to a behavioral approach to anti-phishing. Teaching people the basics of not providing a password and not logging into an accoiunt from a lin is far easier than teaching them to identify that a phish is such.

By: R. Zager Fri, 17 Jun 2011 23:36:36 +0000 You overstate the value of training in solving this problem.  The second and third Carronade studies conducted at West Point showed very disappointing results from training.  The recent paper, "Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model." by Vishwanath, et al. provided insight into the limited value of training to address this problem.
In a nutshell, training requires that people pay attention to processing email in order to spot defects in the email that call its authenticity into question.  People just don't put that much focus on the email task.  Additionally, as Lt. Col. Conti, West Point professor, recently observed in the NY Times, phishing emails are becoming increasingly difficult to spot as bad guys avail themselves of better and better targeting data that is available on the internet.