The goal of a phishing attack is to obtain someone's personal information online by pretending to be a trustworthy source. This study describes the design and results of two large-scale phishing attacks at a university. In the first attack, the researchers sent out a fake email from the IT department asking for people's passwords, and in the second attack, the researchers attempted to gain people's bank account information through a fake study. Of the 10,917 students, faculty, and staff members, 8.74% fell for the first phishing attack, and 2.05% fell for the second. The researchers did not notice a significant relationship between susceptibility to phishing attacks and other factors like age and gender, which contradicts previous research. This study reveals that many people are not aware of phishing attacks or the dangers of releasing personal information online.
Recently, I delivered a speech about the effectiveness of security images in preventing phishing attacks in online banking, and generally, computer security issues are interesting to me. As a millennial, I spend half of my life online, and I worry about the security of my personal information. Like most people, I probably repeat passwords too much from one website to another, and it concerns me that if someone just figures out my laptop's password, then that person will have immediate access to all of the saved passwords on my computer. I found this particular study relatable, since I attend a university and access my bank account online. I like to think that I would not fall prey to a phishing attack, but studies like this tell me that more people are vulnerable to phishing attacks than I might have thought.
In this study, the sample size of 10,917 is impressively large, although the sample only contains people at a university. If the researchers wanted to study the relationship between susceptibility to phishing attacks and, say, level of education, a more diverse sample would be necessary. The second section of the paper refers to several past studies of phishing attacks, which helps solidify the credibility of this study. However, I find the second phishing attack to be less than impressive, primarily because it makes no mention of what time of day the researchers carried out the attack. During this experiment, the IT department sent out a warning about the attack within two hours, but I wonder if the IT department would have been less responsive at a different time of day.
The article mentions that users are the "weakest link" of information security, which provides excellent justification for the study. Most computer security studies are purely technical, but we also need more research about how people's behavior impacts the security of their information. This paper concludes that many people are not only unaware of phishing attacks but also inattentive to warnings about phishing attacks. This implies that if an organization sends out warnings about potential attacks, damages might be limited but they will still exist. Interestingly to me, students in the study were more susceptible to phishing attacks than faculty or staff members, which could imply that more experienced users are more likely to be more cautious about releasing their personal information online. Overall, in order to learn more about how to minimize damages from threats to computer security, we need more research about how users behave in these kinds of situations.
I found this article using IEEE Xplore Digital Library, which is a reliable source of journal articles about computer science and engineering. I will continue to use this website to find more interesting articles to review. Because this paper refers to previous studies, I could put the research in context more easily. When I write introductions for research papers in the future, I will try to ease the readers into the new research by reviewing prominent old research. Additionally, I noticed that unlike the previous article that I blogged about, this article's abstract has keywords at the end, which also helps put the research in context.
No comments:
Post a Comment