BITlab: Behavior Information Technology

BITlab
404 Wilson Rd. Room 249
Communication Arts & Sciences
Michigan State University
East Lansing, MI 48824

Who Provides Phishing Training? Facts, Stories, and People Like Me

by: Rick Wash and Molly Cooper

Abstract

Humans represent one of the most persistent vulnerabilities in many computing system. Since human users are independent agents who make their own choices, closing these vulner- abilities means persuading users to make different choices. Focusing on one specific human choice – clicking on a link in a phishing email – we conducted an experiment to identify better ways to train users to make more secure decisions. We compared traditional facts-and-advice training against training that uses a simple story to convey the same lessons. We found a surprising interaction effect: facts-and-advice training works better than not training users, but only when presented by a security expert. Stories don’t work quite as well as facts-and-advice, but work much better when told by a peer. This suggests that the perceived origin of training materials can have a surprisingly large effect on security outcomes.

Reference

Rick Wash and Molly Cooper. “Who Provides Phishing Training? Facts, Stories, and People Like MeProceedings of the ACM Conference on Human Factors in Computing (CHI). Montreal, Canada. April 2018. [Honorable Mention Award]

Download: PDF