Phishing generator could be used to assess federal cybersecurity awareness


A system developed by Columbia University to synthesize phishing emails and measure the susceptibility of a targeted population to them could be utilized by the federal government as means of assessing the cybersecurity awareness of federal employees, suggests a paper from the New York university's computer science department.

The paper (.pdf), recently highlighted by the Homeland Security Affairs Journal, details an experiment the department ran on 500 unwitting students and teachers in which they sent four variants of a synthesized phishing email with various ways of tracking whether recipients took the bait.

If recipients clicked on a link, opened a .pdf attachment (which emitted a beacon on download) or submitted credentials, the department presented them with a message to be more careful. But gullible first-round participants were also subject to additional rounds of experimental phishing.

In all, it required four rounds of phishing before all experimental subjects learned not to take the bait, the paper says. The phishing approach to garner the largest response--and which also lasted the greatest number of rounds--was an email with a link to an external website. One hundred and seventy seven experiment subjects clicked on the link, which promised users an iPad, during the first round, and the method was the only one to make it to the fourth round.

"A fully developed production system that extends upon the one proposed within this work could be used to support the [Homeland Security Department] mission of securing government departments and agencies," the paper says.

Its authors are Brian Bowen, Ramaswamy Devarajan and Salvatore Stolfo.

For more:
- download the paper, "Measuring the Human Factor of Cyber Security" (.pdf)

Related Articles:
Chinese phishers attacking Chinese targets, says Anti-Phishing Working Group 
'Nitro' hackers target chemical and defense companies, says Symantec 
Q&A: David Jevans on phishing attacks