Teaching Phishing-Security: Which Way is Best?

  • Simon Stockhardt
  • Benjamin Reinheimer
  • Melanie Volkamer
  • Peter Mayer
  • Alexandra Kunz
  • Philipp Rack
  • Daniel Lehmann
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 471)


Ever more processes of our daily lives are shifting into the digital realm. Consequently, users face a variety of IT-security threats with possibly severe ramifications. It has been shown that technical measures alone are insufficient to counter all threats. For instance, it takes technical measures on average 32 h before identifying and blocking phishing websites. Therefore, teaching users how to identify malicious websites is of utmost importance, if they are to be protected at all times. A number of ways to deliver the necessary knowledge to users exist. Among the most broadly used are instructor-based, computer-based and text-based training. We compare all three formats in the security context, or to be more precise in the context of anti-phishing training.


IT-security training User study Computer-based training Instructor-based training Text-based training Phishing 



This work has been developed within the project ‘KMU AWARE’ which is funded by the German Federal Ministry for Economic Affairs and Energy under grant no. BMWi-VIA5-090168623-01-1/2015. The authors assume responsibility for the content.


  1. 1.
    Abras, C., Maloney-Krichmar, D., Preece, J.: User-centered design. In: Bainbridge, W. (ed.) Encyclopedia of Human-Computer Interaction, vol. 37(4), pp. 445–456. Sage Publications (2004)Google Scholar
  2. 2.
    Bada, M., Sasse, A., Nurse, J.R.C.: Cyber security awareness campaigns: Why do they fail to change behaviour?. In: International Conference on Cyber Security for Sustainable Society, pp. 118–131. Global Cyber Security Centre (2015)Google Scholar
  3. 3.
    Brooke, J.: SUS-A quick and dirty usability scale. In: Usability Evaluation in Industry, vol. 189(194), pp. 4–7. Taylor and Francis (1996)Google Scholar
  4. 4.
    Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: An anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Canova, G., Volkamer, M., Bergmann, C., Borza, R., Reinheimer, B., Stockhardt, S., Tenberg, R.: Learn to spot phishing URLs with the android NoPhish app. In: Bishop, M., Miloslavskaya, N., Theocharidou, M. (eds.) Information Security Education Across the Curriculum. IFIP AICT, vol. 453, pp. 87–100. Springer, Heidelberg (2015)Google Scholar
  6. 6.
    Canova, G., Volkamer, M., Bergmann, C., Reinheimer, B.: NoPhish app evaluation: lab and retention study. In: USEC 2015. Internet Society (2015)Google Scholar
  7. 7.
    Das, S., Kim, H., Dabbish, L.A., Hong, J.I.: The effect of social influence on security sensitivity. In: SOUPS, vol. 14. ACM (2014)Google Scholar
  8. 8.
    Desai, M.S., Richards, T., Eddy, J.P.: A field experiment: instructor-based training vs. computer-based training. J. Instr. Psychol. 27(4), 239 (2000). George Uhlig PublisherGoogle Scholar
  9. 9.
    Felt, A.P., Wagner, D.: Phishing on mobile devices. USEC 2011, Internet Society (2011)Google Scholar
  10. 10.
    Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: ACM workshop on Recurring malcode, pp. 1–8. ACM (2007)Google Scholar
  11. 11.
    Greg, A., Rasmussen, R.: Global Phishing Survey: Trends and Domain Name Use in 2H2014 (2015). Accessed 13 March 2016
  12. 12.
    Harrington, S.S., et al.: A comparison of computer-based and instructor-led training for long-term care staff. J. Contin. Educ. Nurs. 33(1), 39 (2002)Google Scholar
  13. 13.
    Khan, B., Alghathbar, K.S., Nabi, S.I., Khan, M.K.: Effectiveness of information security awareness methods based on psychological theories. Afr. J. Bus. Manage. 5(26), 10862–10868 (2011). Academic JournalsGoogle Scholar
  14. 14.
    Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: CHI, pp. 905–914. ACM (2007)Google Scholar
  15. 15.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1245–1254. ACM (2009)Google Scholar
  16. 16.
    Ng, B.Y., Kankanhalli, A., Xu, Y.C.: Studying users’ computer security behavior: A health belief perspective. Decis. Support Syst. 46(4), 815–825 (2009). ElsevierCrossRefGoogle Scholar
  17. 17.
    Ramzan, Z.: Phishing attacks and countermeasures. In: Stavroulakis, P., Stamp, M. (eds.) Handbook of Information and Communication Security, pp. 433–448. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Reid, D.: Knowledge Retention in Computer-Based Training. University of Calgary, Calgary (2001)Google Scholar
  19. 19.
    Schilliger, B., Schmid, R.: Entwickeln einer Awareness-Kampagne für einen sicheren Umgang mit dem Internet an mittelgrossen Berufs-oder Maturitätsschulen. Ph.D. thesis, Hochschule Luzern, Wirtschaft (2010)Google Scholar
  20. 20.
    Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F., Downs, J.: Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: CHI, pp. 373–382. ACM (2010)Google Scholar
  21. 21.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: SOUPS, pp. 88–99. ACM (2007)Google Scholar
  22. 22.
    Thorndike, E.L.: The Fundamentals of Learning. Teachers College Bureau of Publications, New York (1932)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations