Use of Phishing Training to Improve Security Warning Compliance: Evidence From a Field Experiment

ABSTRACT: The current approach to protect users from phishing attacks is to display a warning when the webpage is considered suspicious. We hypothesize that users are capable of making correct informed decisions when the warning also conveys the reasons why it is displayed. We chose to use traffic rankings of domains, which can be easily described to users, as a warning trigger and evaluated the effect of the phishing warning message and phishing training. The evaluation was conducted in a field experiment. We found that knowledge gained from the training enhances the effectiveness of phishing warnings, as the number of participants being phished was reduced. However, the knowledge by itself was not sufficient to provide phishing protection. We suggest that integrating training in the warning interface, involving traffic ranking in phishing detection, and explaining why warnings are generated will improve current phishing defense.

Weining Yang works at Google, Inc. He received his Ph.D. in Computer Science from Purdue University in August, 2016.

Aiping Xiong is a Ph.D. student in Cognitive Psychology and Human Factors at Purdue University. She got her Master Degree in Industrial Engineering at Purdue University at 2014.

Jing Chen is an assistant professor at Department of Psychology at New Mexico State University. She received her Ph.D. in Cognitive Psychology at Purdue University at 2015.

Dr. Robert W. Proctor is a distinguished professor at Department of Psychological Sciences of Purdue University. He received his Ph.D. in Experimental Psychology at the University of Texas at Arlington in 1975.

Dr. Ninghui Li is a professor in the Computer Science Department of Purdue University, and he got his Ph.D. in Computer Science at New York University in 2000.