Institute for Software Research
School of Computer Science, Carnegie Mellon University
PhishGuru: A System for Educating Users
The goal of this thesis is to show that computer users trained with an embedded training system – one grounded in the principles of learning science – are able to make more accurate online trust decisions than users who read traditional security training materials, which are distributed via email or posted online. To achieve this goal, we focus on "phishing," a type of semantic attack. We have developed a system called "PhishGuru" based on embedded training methodology and learning science principles. Embedded training is a methodology in which training materials are integrated into the primary tasks users perform in their day-to-day lives. In contrast to existing training methodologies, the PhishGuru shows training materials to users through emails at the moment ("teachable moment") users actually fall for phishing attacks.
We evaluated the embedded training methodology through laboratory and field studies. Real-world experiments showed that people trained with PhishGuru retain knowledge even after 28 days. PhishGuru training does not decrease users' willingness to click on links in legitimate messages. PhishGuru is also being used in a real-world implementation of the Anti-Phishing Working Group Landing Page initiative. The design principles established in this thesis will help researchers develop systems that can train users in other risky online situations.