O. Braun, M. Große-Kampmann, J. Hörnemann, Prof. Norbert Pohlmann (Institut für Internet-Sicherheit), T. Urban:
“Different Seas, Different Phishes – Large-Scale Analysis of Phishing Simulations Across Different Industries”,
in ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS),
Hanoi, Vietnam
Abstract
Phishing is an increasing threat to the security of end-users, networks, and organizations. Phishing simulations via email are a widespread tool used to measure user awareness, especially in workplace settings. However, current studies focusing on large-scale analysis of phishing simulations often have issues: The phishing simulations were conducted using a small sample size (mostly one or two organizations), or while many emails are sent, the analysis focuses only on specific companies. This study analyzes phishing simulations conducted over three years at 36 organizations with over 68 000 delivered emails. We compare different dimensions of the organizations where these simulations were conducted, such as the economic sector and departments. Furthermore, we evaluate various dimensions of phishing simulation campaigns, such as detection difficulty and the scenario under which the simulation occurs. Our findings indicate significant disparities in the results, such as the industry sector in which the company operates. Moreover, we find substantial differences between the success rates of varying scenarios used for phishing emails. 1 Introduction
Phishing emails are still a prevalent threat to organizational security. Several countermeasures like detection mechanisms [ 53 ] or machine learning approaches [ 44] were used in the past. In recent years, the trend has also introduced so-called security awareness campaigns (SAC) and phishing simulation campaigns (PSC) alongside technical countermeasures to raise awareness about phishing emails. This leads to an added security layer, and nowadays employee training is vital to an organization’s cybersecurity and mandatory according to different cybersecurity regulations and standards, e.g., NIS2 [ 51 ], ISO 27001 [ 46 ], or ISO 27004, which recommend PSC as a measure to verify security trainings [27]. It is currently more complex to quantitatively evaluate human aspects of cybersecurity than to evaluate technical measures, e.g., the blocking rate of a firewall [ 7, 48 ]. One approach to obtain quantitative data is to perform PSCs in an organization that generate data that can be evaluated. By analyzing this data, organizations seek to conclude the effectiveness of their security program [ 4– 6]. Other studies researching phishing simulations and their click rates focus primarily on one organization [ 28, 34 , 47 ]. Some academic studies are also biased toward academic institutions as the authors solely conduct experiments within a university setting [ 54 , 61]. This work addresses these gaps by performing large-scale phishing email campaigns in 36 organizations, sending and analyzing 68 743 phishing emails over 45 months using 96 distinct phishing campaigns. Our approach allows us to assess whether different sectors or departments within a company are more likely to identify potential phishing emails. Our findings help make specific recommendations for organizations to achieve a comprehensive level of awareness and realistically evaluate the phishing threat.
In summary, we make the following contributions: - By performing a large-scale quantitative analysis of 96 proprietary phishing campaigns across 36 organizations in various industries, we show the non-generalizability of previous work, which analyzes phishing within one or two organizations. Our large-scale horizontal study fills this research gap.
- We analyze different economic sectors and departments within a company and show significant disparities in the susceptibility to phishing. By comparing different levels of detection difficulty according to the Phish Scale [ 13 , 52 ], we show that the difficulty is not significant to predict dangerous interactions, but rather other factors are more influential.
- Through the analysis of different phishing scenarios, we show that some (e.g., “Don’t Miss Out”, where the email contains a limited offer that the user should not miss) lead to considerably more dangerous interactions with the emails than other scenarios.
…
kostenlos downloaden
Weitere Informationen zum Thema “Different Seas, Different Phishes – Large-Scale Analysis of Phishing Simulations Across Different Industries”
„Why Trustworthiness is the Cornerstone of Digitalization“
„Warum Vertrauenswürdigkeit der Grundstein für die Digitalisierung ist“ „Trust Media – ISCC-Zertifikate – Stärkung des Vertrauens in digitale Medien“ „Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk“ „Social Media Scraper im Einsatz – Wie Kriminelle hoch personalisierte Phishing-Attacken vorbereiten“
„Lehrbuch Cyber-Sicherheit“
„Übungsaufgaben und Ergebnisse zum Lehrbuch Cyber-Sicherheit“ „Bücher im Bereich Cyber-Sicherheit und IT-Sicherheit zum kostenlosen Download“ „Trusted Computing – Ein Weg zu neuen IT-Sicherheitsarchitekturen“
„Vorlesungen zum Lehrbuch Cyber-Sicherheit“
„IT-Sicherheit – Eine gemeinsame Herausforderung“ „The European Cybersecurity Act and its impact on US companies“ „Only Regulators in the Building – EU AI Act, Compliance, Trust and AI“ „IT-Sicherheitsrecht – Was gibt die EU vor, wie kann die Industrie die Umsetzung aktiv gestalten“
„Forschungsinstitut für Internet-Sicherheit (IT-Sicherheit, Cyber-Sicherheit)“
„Master-Studiengang Internet-Sicherheit (IT-Sicherheit, Cyber-Sicherheit)“ „Marktplatz IT-Sicherheit“ „Marktplatz IT-Sicherheit: IT-Notfall“ „Marktplatz IT-Sicherheit: IT-Sicherheitstools“ „Marktplatz IT-Sicherheit: Selbstlernangebot“ „Marktplatz IT-Sicherheit: Köpfe der IT-Sicherheit“ „Vertrauenswürdigkeits-Plattform“
„TeleTrusT-Positionspapier Cyber-Nation“
„Artificial Intelligence and IT Security – More Security, More Threats“ „Confidential Computing: A White Paper on Secure Cloud Data Processing“ „Selbstlernakademie SecAware.nrw: Neues KI-Modul soll IT-Awareness in NRW nachhaltig stärken“
„eco-Studie: Security und digitale Identitäten“
„Gaia-X-sichere und vertrauenswürdige Ökosysteme mit souveränen Identitäten“
„Cyber-Sicherheit braucht mehr Fokus“
„IT-Sicherheitsstrategie für Deutschland“
„IT-Sicherheit für NRW 4.0 – Gemeinsam ins digitale Zeitalter. Aber sicher.“ „Human-Centered Systems Security – IT Security by People for People“
„IT-Sicherheit“
„Cyber-Sicherheit“ „Cyber-Sicherheitsrisiko“ „Phishing“ „Spear-Phishing / Whaling“ | 
