Who Provides Phishing Training? Facts, Stories, and People Like Me
by: Rick Wash and Molly Cooper
Abstract
Humans represent one of the most persistent vulnerabilities in many computing system. Since human users are independent agents who make their own choices, closing these vulner- abilities means persuading users to make different choices. Focusing on one specific human choice – clicking on a link in a phishing email – we conducted an experiment to identify better ways to train users to make more secure decisions. We compared traditional facts-and-advice training against training that uses a simple story to convey the same lessons. We found a surprising interaction effect: facts-and-advice training works better than not training users, but only when presented by a security expert. Stories don’t work quite as well as facts-and-advice, but work much better when told by a peer. This suggests that the perceived origin of training materials can have a surprisingly large effect on security outcomes.
Reference
Rick Wash and Molly Cooper. “Who Provides Phishing Training? Facts, Stories, and People Like Me” Proceedings of the ACM Conference on Human Factors in Computing (CHI). Montreal, Canada. April 2018. [Honorable Mention Award]