通过科学诱饵制作进行用户网络钓鱼培训.pdf

1、Pwning Phishing Training Through Scientific Lure CraftingDr.Christian Dameff,MD&Dr.Ariana Mirian,PhDBlack Hat 2025,Human Factors TrackWho are we?Associate professor UCSDCo-director UCSD Center for Healthcare Cybersecurity Security researcher focused on Internet measurement/security Currently Censys,

2、Previously PhD UCSDAgenda Background&Motivation Study Setup,Design,&Methods Lessons Learned(and what that means for users)SummaryAudience poll:Does user phishing training work?Background+MotivationPhishing Training worksright?Many organizations(including ours)perform trainings Annual cybersecurity a

3、wareness trainings Simulated phishing tests(embedded trainings)Teach a person to spot a phish,and they are trained for life“Human firewalls”Background Much prior research is in favor of anti-phishing training i.e:Jampen et al.2020 Often lab studies Some recent studies that show opposite results I.e:

4、Lain et al.2022 Increasingly real world studies with actual users Problem:How do we reconcile these conflicting studies?Problem:How do we reconcile these conflicting studies?Underlying research question:What is the best modality for anti-phishing training?Many different modalities which to focus on?

5、StaticInteractiveLets Treat Security Research like Medical ResearchMedical OutcomesSecurity OutcomesMedical OutcomesSecurity OutcomesLets Treat Security Research like Medical Research Evidence based cybersecurity should be the norm.Bloodletting&mercury=bad Instead of spending millions of dollars AND

6、 hours on ineffective solutions,lets find the EFFECTIVE ones with science.Lets Treat Security Research like Medical ResearchMethodologyNot all evidence is equalRandomized 19,000+Employees into 5 Groups Control(no training)Generic static Generic interactive Contextual static Contextual interactive Th