An investigation of phishing awareness and education over time: When and how to best remind users
Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, and Reyhan Duezguen, SECUSO - Security, Usability, Society, Karlsruhe Institute of Technology; Bettina Lofthouse, Landesamt für Geoinformation und Landesvermessung Niedersachsen; Tatiana von Landesberger, Interactive Graphics Systems Group, Technische Universität Darmstadt; Melanie Volkamer, SECUSO - Security, Usability, Society, Karlsruhe Institute of Technology
Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months.
View the full SOUPS 2020 program at https://www.usenix.org/conference/soups2020/technical-sessions