Teaching Johnny to thwart phishing attacks
One such cyber threat, which is particularly dangerous to computer users, is phishing. Phishing is well known as on-line identity theft, which targets to steal its victim’s sensitive information, such as username, password and online banking details. Automated anti-phishing web browser plugin tools have been developed and used to alert users of potential fake e-mails and websites. However, these tools are not completely reliable in detecting and protecting people from phishing attacks. This is because cyber-criminals leverage their attack through human exploitation. It is not possible to completely circumvent the end-user; for example, in personal computer use, one mitigating approach for computer and information security is to educate the end-user in security prevention. Educational researchers and industry experts talk about well-designed user security education which can be effective. However, we know to our cost that no one talks about how to better design security educational interventions for end-users. Therefore, this paper focuses on designing an innovative and gamified security interventions designed to educate individuals about phishing attacks. The study asks how one can integrate ‘self-efficacy’, which has a co-relation with the user’s knowledge, into an anti-phishing educational game to thwart phishing attacks? One of the main reasons appears to be a lack of user knowledge to guard against phishing attacks. Therefore, this research investigates the elements that influence (in this case, either conceptual or procedural knowledge or their interaction effect) and then integrates them into an anti-phishing educational game to enhance people’s phishing prevention behaviour through their motivation. The proposed game design teaches how to identify phishing URLs, which is one of the many ways to identify phishing attacks. The URLs are classified through machine learning techniques.