TULiPS

Technology Usability Lab in Privacy and Security

Logo: Technology Usability Lab in Privacy and Security
Research Publications People Student Projects Wiki Outreach

Phishing Human Factors

Malicious communications, also known as phishing, are a serious problem to organizations and individuals world-wide. The Ponemon Institute in 2017 estimated phishing costs UK organizations an average of $2.01 million per incident. Phishing is also a common gateway to larger attacks, in 2019 alone 32% of data breaches started with a successful phishing attack (Verizon) making them particularly important to prevent.

The TULiPS lab is working on several lines of research around the human factors of phishing attacks.

URL Reading

Reading a URL is one of the key abilities necessary for identifying malicious communications, but many people cannot accurately read a URL and predict where it will go. This happens for several reasons, URLs are naturally complex to read, visually identical characters can easily confuse a person, and for some URLs, such as shortened ones, it is physically impossible to predict the destination from simply reading the text due to redirection.

Managing phishing reports

Assuming that users are able to accurately detect phishing, they should really report it. But what happens to those reports? Often they have to pass through a process of manual labeling by Security Operations Center staff to determine if they are really phishing. Then key features have to be extracted to create rules that can be added to email and other filters. Needless to say, this process can take some time which is problematic.

In this project, we aim to better understand the workflows of the people who process phishing reports. What actions do they take? Who all is involved? All with the goal of making their job easier and more efficient.

Publications

  1. Faheem: Explaining URLs to people using a Slack bot [bibtex]
    K. Althobaiti, K. Vaniea, S. Zheng; In Symposium on Digital Behaviour Intervention for Cyber Security. 2018.
  2. Automatic phishing detection versus user training, Is there a middle ground using XAI? [bibtex]
    S. Albakry, K. Vaniea; In Proceedings of the SICSA Workshop on Reasoning, Learning and Explainability. 2018.
  3. A Review of Human-and Computer-Facing URL Phishing Features [bibtex]
    K. Althobaiti, G. Rummani, K. Vaniea; In IEEE European Symposium on Security and Privacy Workshops (EuroS\&PW). 2019.
  4. What is this URL's Destination? Empirical Evaluation of Users' URL Reading [bibtex]
    S.S. Albakry, K. Vaniea, M.K. Wolters; In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. 2020.
  5. Analysis of publicly available anti-phishing webpages: contradicting information, lack of concrete advice and very narrow attack vector [bibtex]
    M. Mossano, K. Vaniea, L. Aldag, R. Düzgün, P. Mayer, M. Volkamer; In Proceedings of the 5th IEEE European Workshop on Usable Security (EuroUSEC). 2020.

People

Funding

Research and projects here are partially funded by the following groups:

Related Student Projects

The following are related projects completed by interns, undergraduate, and masters students.
Project screenshot.

Analysing Online Anti-Fraud Advice to Identify Common Anti-Phishing Instructions and Assumptions

Mattia Mossano (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

There is a wide variety of anti-phishing advice available through many organizations such as banks, universities, law enforcement, and consumer advacacy groups. In this work, I collect advice from 94 web pages across 9 countries. I find that the advice given to users is disorganized with different advice given by different groups and sometimes the same group offering different advice for differenty entities.

Project screenshot.

Catch-Phish: Developing a Phishing Learning and Detection Tool

Stephen Waddell (2018-2019, Undergraduate Thesis)

Supervisor: Kami Vaniea

Designed an in-browser tool that analyzes URLs before users click on them and provides feedback about the likely final destination of the URL. The project involved interviewing people about different interface ideas, building a prototype, and testing the prototype with a small number of participants.

Project screenshot.

Web-based tool for estimating security training approaches for security decision-makers

Nan Sheng (2017-2018, Masters Thesis)

Supervisor: Kami Vaniea

Cyber security has been a concern for organizations because it can lead to large financial loss. The premise of this project is that the CISO realizes the improtance of cyber security training and is trying to find a suitable training approach for the staff. This project collects essential information about training approaches from academic papers and training companies such as methodology, charateristic, effectiveness, cost and commercial training products. The goal is to help someone like a CISO select a suitable training approache for the staff.

Project screenshot.

Empirical Evaluation of Users' Ability to Read URLs With and Without a Support Website

Xinding Wang (2017-2018, Masters Thesis)

Supervisor: Kami Vaniea

Reading a URL unaided is challenging. This project had two goals:
1) Determine if people in China and Europe read URLs differently.
2) Build a website that parses and explains a URL to someone in both English and Chinese.

Project screenshot.

Faheem: Real-time Slack Bot URL Explainer Assists Users in Overcoming Phishing

Kholoud Althobaiti (2016-2017, Masters Thesis)

Supervisors: Stuart Anderson, Kami Vaniea

People have difficulty understanding URLs which makes it harder for them to decide what links are safe to click on or identify potential privacy issues. Faheem is a Slack chat bot designed to help users understand a URL through an interactive discussion with the bot.