Going Spear phishing: Exploring Embedded Training & Awareness

Deanna Caputo

Deanna D. Caputo
The MITRE Corporation


Thursday, February 20, 2014
Noon-1pm,
NSF Stafford I, Room 110

To watch the recorded presentation, register at:http://www.tvworldwide.com/events/nsf/140220/.

Abstract

To explore the effectiveness of embedded training, we conducted a large-scale experiment that tracked workers' reactions to a series of carefully crafted spear phishing emails and to a variety of immediate training and awareness activities. Based on behavioral science findings, the experiment included four different training conditions, each of which used a different type of message framing. The results from three trials showed that framing had no significant effect on the likelihood that a participant would click on a subsequent spear phishing email, and that many participants either clicked on all links or none regardless of whether they received training or what kind of training they received. The results suggest that embedded training was ineffective because employees failed to read the training materials. We were therefore unable to determine whether the embedded training materials created framing changes on susceptibility to spear phishing attacks. Dr. Caputo will discuss the study results, why users may have feared the training, and what this means for strengthening our human firewalls against advanced spear phishing attacks.

Speaker

Deanna D. Caputo received her Ph.D. in Social and Personality Psychology from Cornell University, with specialization in Judgment and Decision-making and Psychology and Law. She currently works in the Washington D.C area for the MITRE Corporation as a Principal Behavioral Psychologist supporting the United States law enforcement and intelligence communities, and previously worked for the US Department of Defense as a senior human factors intelligence analyst. Dr. Caputo has almost 20 years experience in designing, conducting, and analyzing experimental research with human participants, using both quantitative and qualitative analyses. She is also proficient in profiling human decision-making behavior and conducting social network analyses. Her main area of research and operational consultation is human behavior and cyber security, particularly insider threat. Dr. Caputo has multiple psychological articles published in peer-reviewed journals, authored a book chapter, and her most recent publications are "Going Spear phishing: Exploring Embedded Training and Awareness," IEE Security & Privacy, (In Press); "Leveraging Behavioral Science to Mitigate Cyber Security Risk, Computers and Security, May 2012; and "Detecting the Theft of Trade Secrets by Insiders: A Summary of MITRE Insider Threat Research," IEEE Security & Privacy, Nov/Dec 2009.